Dangerous malware targets over 10 million Android users: Details here
Numerous mobile applications—functioning as Trojans—have been subscribing unsuspecting users to paid services since November 2020, discovered researchers with mobile security company Zimperium. Named GriftHorse by researchers Aazim Yaswant and Nipun Gupta, this malware campaign targeted over 10 million Android users from over 70 countries and stole "hundreds of millions of Euros." These malicious apps were distributed using Google Play Store and third-party application stores.
GriftHorse uses spamming, misinformation, local language to trick users
The victims, once their phones get infected, receive at least five spam alerts in an hour to claim fake prizes. After accepting the offer, they are redirected to a web page asking them to submit their phone numbers for verification. These web pages use local languages to establish trust. Submitted numbers are then linked to a premium SMS service, charging over €30 a month.
Developers used Apache Cordova framework to create malware applications
Cybercriminals used the Apache Cordova mobile application development framework—which allows cross-platform mobile development—to create the Trojans. Cordova allows developers to update applications automatically—in this case, victims continued to lose money until they rectified the issue by contacting their SIM operators. The developers avoided using hardcoded URLs or reusing domains to evade detection. The Trojans were served based on users' locations to maintain language specificity.
GriftHorse went undetected by antivirus software vendors for months
According to the Zimperium researchers, more than 200 Trojan applications were used in this malware campaign and they went completely undetected for several months on other antivirus providers. Recently, Zimperium reported its findings to Google, which then removed the malicious applications from the Google Play Store. However, third-party application stores may still be hosting the Trojans.
New threats take advantage of cross-platform development frameworks
The Zimperium researchers have also warned that "the technique of abusing cross-platform development frameworks to stay undetected" was being used more and more. Also, it is harder to detect such campaigns on the end of antivirus providers.