GriftHorse malware infected more than 10 million Android phones from 70 countries

Security researchers uncovered a massive malware operation, dubbed GriftHorse, that has already infected more than 10 million Android devices worldwide.

Security researchers from Zimperium have uncovered a piece of malware, dubbed GriftHorse, that has infected more than 10 million Android smartphones across more than 70 countries.

According to the experts, the malware campaign has been active since at least November 2020, threat actors are spreading via apparently harmless apps that were uploaded to the official Google Play Store and third-party Android app stores.

“Zimperium zLabs recently discovered an aggressive mobile premium services campaign with upwards of 10 million victims globally, and the total amount stolen could be well into the hundreds of millions of Euros.” reads the analysis published by Zimperium. “While typical premium service scams take advantage of phishing techniques, this specific global scam has hidden behind malicious Android applications acting as Trojans, allowing it to take advantage of user interactions for increased spread and infection.”

Operators behind the campaign are carrying out a global premium services Trojan campaign, the malicious code subscribes the owners of infected devices to paid services, charging a premium amounting to around 36 Euros per month.

The users are bombarded with alerts on the screen that inform them that they have won a prize and ask them to accept the invitation to receive it. The victims are bombarded with pop-ups that reappear no less than five times per hour.

“Upon accepting the invitation for the prize, the malware redirects the victim to a geo-specific webpage where they are asked to submit their phone numbers for verification. But in reality, they are submitting their phone number to a premium SMS service that would start charging their phone bill over €30 per month.” continues the report. “The victim does not immediately notice the impact of the theft, and the likelihood of it continuing for months before detection is high, with little to no recourse to get one’s money back.”

Zimperium researchers pointed out that GriftHorse coders invested a significant effort in developing high-quality code, they also used a wide spectrum of websites, over 200 Trojan applications to infect the largest number of users as possible remaining under the radar.

The attackers are spreading their apps across multiple categories in order to extend the range of potential victims.

The researchers also estimated the potential profits of this malware campaign, the GriftHorse operators are currently making between €1.2 million and €3.5 million per month from the criminal activity.

“The cybercriminal group behind the GriftHorse campaign has built a stable cash flow of illicit funds from these victims, generating millions in recurring revenue each month with the total amount stolen potentially well into the hundreds of millions.” concludes the report. “The campaign has been actively under development for several months, starting from November 2020, and the last updated time dates back to April 2021. This means one of their first victims, if they have not shut off the scam, has lost more than €200 at the time of writing. The cumulative loss of the victims adds up to a massive profit for the cybercriminal group.”

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, GriftHorse )

[adrotate banner=”5″]

[adrotate banner=”13″]