Over 10 million Android smartphones have been reportedly affected by a new malware called GriftHorse. Discovered by researchers at mobile security firm Zimperium, the research suggests the threat group had been running the campaign since November 2020. The research firm notes that the GriftHorse malware was distributed through both Google Play and third-party application stores and stole “hundreds of millions of Euros” from affected users. The malware disguised itself within apps’ codes and tricked users to click on fishy links in order to redirect money into their accounts. Zimperium research claims these malicious Android apps appear “harmless” at first in terms of their app description and requested permissions; however, they essentially trick users to subscribe to premium services without their knowledge and consent to extract money.
In a blog post, the company says the malicious apps pose a threat to all Android devices by functioning as a Trojan and charging a premium amounting to around EUR 36 (roughly Rs 3,100) per month. The campaign has reportedly targeted millions of users from over 70 countries by serving selective malicious pages to users based on the geo-location of their IP address with the local language. Due to the distribution of these campaigns in local languages, the attack appears to have a higher success rate. The GriftHorse campaign is one of the most “widespread campaigns” the zLabs threat research team has witnessed in 2021, the company notes. GriftHorse essentially sends sophisticated popups and notifications, promising various prizes and special offers. Users who tap on these notifications are redirected to an online page where they are asked to confirm their phone number in order to access the offer. However, users are subscribing themselves to special SMS services that charge a premium – later redirected to the operator’s account.
Some of the popular apps, infected with GriftHorse horse malware include Handy Translator Pro, Heart Rate and Pulse Tracker, Geospot: GPS Location Tracker, iCare – Find Location, and My Chat Translator. According to the company, users in India are also affected. Zimperium, which is a member of the App Defense Alliance, said it contacted Google about all the GriftHorse infected apps, which have now been removed from the Play Store. However, these apps may still exist on third-party app stores.