Researchers with Zimperium zLabs uncovered an “aggressive mobile premium services campaign” that has infected more that 10 million Android smartphones across 70 countries since at least November 2020.
Dubbed ‘GriftHorse’, the campaign involved seemingly benign Android applications distributed via Google Play and third-party app stores that secretly subscribed the victims to premium services costing €36 (~$42) per month.
The researchers said the malicious campaign used more than 200 trojanized apps, making it “one of the most widespread campaigns’ observed in 2021.
The GriftHorse malware was delivered via selective malicious pages served to users based on the geo-location of their IP address with the local language.
Once infecting the device, the malware shows persistent alerts on the screen informing the victim that they won the prize and needed to claim it immediately. After the user accepts the offer, they are redirected to a geo-specific webpage where they asked to enter their phone numbers for verification. But in reality, they are submitting their phone number to a premium SMS service that would start charging their phone bill over €30 per month.
“These cybercriminals took great care not to get caught by malware researchers by avoiding hardcoding URLs or reusing the same domains and filtering / serving the malicious payload based on the originating IP address’s geolocation. This method allowed the attackers to target different countries in different ways. This check on the server-side evades dynamic analysis checking for network communication and behaviors,” the researchers said.
“The threat actors have exerted substantial effort to maximize their presence in the Android ecosystem through a large number of applications, developer accounts, and domains. The Zimperium zLab researchers have noticed the technique of abusing cross-platform development frameworks to stay undetected has been on the rise, making it more difficult for legacy mobile AV providers to detect and protect their customers.”
After Zimperium zLabs notified Google of its findings, the offending apps were removed from Google Play. However, the malicious apps are still available on unsecured third-party app repositories, highlighting the risk of sideloading applications from untrusted sources, the researchers warn.