‘GriftHorse’ Android Trojan: 10M Victims Lose Millions per Month

Researchers found a huge nest of Trojan apps in the Google Play Store. Dubbed GriftHorse, the malware in these 200+ Android apps tricked victims into subscribing to premium SMS services.

At a recurring $35, the scrotes could be earning as much as $4 million/month. But should we blame Google? The Apache Cordova app framework? Or perhaps the mobile networks that blindly enable these dodgy SMS services?

GriftHorse is, of course, not to be confused with the podcast of the same name. In today’s SB Blogwatch, we stare into an equine oral abyss.

Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: People Miss You.

Premium SMS is Still a Thing?

What’s the craic? Catalin Cimpanu reports—“Malware has infected more than 10 million Android phones”:

$4 million per month
The new GriftHorse malware has been distributed via benign-looking apps uploaded on the official Google Play Store. [It] starts peppering users with popups and notifications. … Users who tap on these … are subscribing themselves to premium SMS services that charge over €30 ($35) per month.

The researchers estimated that the GriftHorse gang is currently making [up] to $4 million per month … from their scheme. [They] contacted Google about all the GriftHorse infected apps, which have now been removed from the Play Store.

Where’s the obvious pun? Thomas Claburn obliges—“Don’t look a GriftHorse in the mouth”:

We've not heard back
Google, we’re told, has already tamed its online souk. So reviewing the lengthy list of affected apps … probably isn’t necessary for Android devices tied to Google Play.

The malicious code redirects the victim to a webpage tailored for their specific location that then asks for a phone number as verification. That number is actually submitted to a premium SMS service subscription.

What GriftHorse apps have in common is that they were built with the open source Apache Cordova framework, which … provides a way to automatically push updates to apps without user intervention. [We] asked Google whether it anticipates the need to look into limiting the update mechanisms used in Android apps built with Apache Cordova, but we’ve not heard back.

Whodunit? Zimperium’s Aazim Yaswant and Nipun Gupta—“GriftHorse Android Trojan”:

Threat to Android users
[We] recently discovered an aggressive mobile premium services campaign with upwards of 10 million victims globally [who] get charged month over month for the premium service they get subscribed to without their knowledge and consent. … The total amount stolen could be well into the hundreds of millions.

The GriftHorse campaign is one of the most widespread campaigns [we’ve] witnessed in 2021, attributing its success to … the level of sophistication, use of novel techniques, and determination displayed by the threat actors, [which] allowed them to stay undetected for several months. … The cybercriminal group behind the GriftHorse campaign has built a stable cash flow of illicit funds.

[It] dates back to November 2020, suggesting that their patience and persistence will probably not come to an end with the closing down of this campaign. The threat to Android users will always be present.

But what if I don’t use Google Play? AmiMoJo says this is important:

Owners need to check themselves
This is actually quite important: … Any phone with Google Play Services (99% of them) will have already uninstalled this malware after Google blocklisted it. But devices without any Google services, like those running a Google-free ASOP build or Amazon Fire devices, won’t have got the benefit of that and the owners need to check themselves.

Is there a solution? Alex Russell—@slightlylate—bangs the drum for mobile progressive web apps:

Modern browsers
The app store fig leaf is far too small to protect our collective modesty. It’s time to reconsider native apps on mobile, too. Modern browsers can raise the level the way they did on desktop, if allowed to.

Should we circle the flaming pitchforks around Apache Cordova? Here’s ThatOne:

Random strangers
The whole Apache Cordova framework seems to be an attempt to make … unavoidable advertising. Why else would it provide a way to automatically push stuff without the user being able to prevent it?

In which universe is allowing random strangers to freely and stealthily upload stuff to your devices a good idea? Not in this one.

Wait. Pause. Doesn’t the blame lie elsewhere? stephanruby asks cui bono:

Anyone can be tricked
How are they getting billed for this? If cell phone networks are assisting with the billing, the incentives are on their end not to do anything about it. … The cell phone networks should be the ones who get named and shamed.

Opening a webview is not that difficult. … And anyone can be tricked into entering an SMS verification code into a web form.

Are refunds possible? u/5c044 shares their experience:

He didn't sign up
My son had one of these premium SMS subscriptions running for 8 months. I got a refund on charges because I was persistent. Mobile operators don’t care.

My son swears absolutely he didn’t sign up. … The company claimed that he signed up—they had date, time, IP address, mobile model.

SMS? Trojans? RyokuMas feels some serious déjà vu:

Wow, substitute “Android” for “Windows” and it’s like I’m back in the late 90s.

Meanwhile, a deeply unsurprised u/LoliLocust channels Jeremy Clarkson:

Oh no!

Anyway …

And Finally:

Rolling Mode

Previously in And Finally


You have been reading SB Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites … so you don’t have to. Hate mail may be directed to @RiCHi or [email protected]. Ask your doctor before reading. Your mileage may vary. E&OE. 30.

Image sauce: Mikael Kristenson (via Unsplash)

Richi Jennings

Richi Jennings is a foolish independent industry analyst, editor, and content strategist. A former developer and marketer, he’s also written or edited for Computerworld, Microsoft, Cisco, Micro Focus, HashiCorp, Ferris Research, Osterman Research, Orthogonal Thinking, Native Trust, Elgan Media, Petri, Cyren, Agari, Webroot, HP, HPE, NetApp on Forbes and CIO.com. Bizarrely, his ridiculous work has even won awards from the American Society of Business Publication Editors, ABM/Jesse H. Neal, and B2B Magazine.

richi has 596 posts and counting.See all posts by richi