Researchers at Zimperium have uncovered that more than 10 million Android users have been infected by malicious apps distributing fleeceware named GriftHorse. Fleeceware is categorized as a trojanized application that subscribes victims to premium app services that cost the victim money. More than 130 apps on the Google Play Store have been identified as spreading this malware. GriftHorse rode onto the scene in November of last year, and by now, “the total amount stolen could be well into the hundreds of millions of Euros,” according to Zimperium researchers, with each victim paying upwards of $40 per month. Google has taken action against the apps that were identified by removing them from the Play Store, but the malware is far from controlled. The malware can still live on devices that have the apps installed as well as being distributed through new apps. The malicious apps create pop-ups on a user’s device telling them they have won a prize. This happens no less than five times an hour until the user gets annoyed and clicks on the pop-up. From there, the malware creators have crafted the malware to use geolocation to customize the displayed webpage to the victim’s location. This allows the malware to be active in over 70 countries because the scam is changed based on the victims’ locations and can be changed to match their language. The redirect page asks targets to submit their phone numbers for “verification.” In reality, typing in the numbers merely subscribes them to a premium SMS service that charges $42 on average per month (€36), which will show up on their phone bills.
Analyst Notes
The developers of these malicious apps have employed many techniques to evade detection. This includes a no-reuse policy on their domains as well as developing the apps using Apache Cordova. Apache Cordova allows developers to use standard web technologies – HTML5, CSS3, and JavaScript – for cross-platform mobile development, which in turn, allows them to push out updates to apps without requiring user interaction. This can be used to host malicious code on the server that executes code in real-time. This, along with encryption, makes it hard for the malware to be identified. A list of the malicious apps can be found in the source document. Anyone with an Android device should ensure that these apps are not downloaded. Android users should also check billing statements for any fraudulent charges and report them immediately.
Source: https://threatpost.com/grifthorse-money-stealing-trojan-android/175130/
