Over 10m Android users have been given some malware called Grift Horse that’s trojanising various applications & secretly subscribing victims to premium mobile services – a type of billing fraud that researchers categorise as “fleeceware.”
The mobile malware has stolen 100s of millions of dollars from victims globally, using sophisticated techniques.
Zimperium uncovered more than 130 Grift Horse apps being distributed through both Google Play and third-party application stores, across all categories.
Premium Services
Some of them have basic functionality, & some of them do nothing, researchers said. In either case, once installed, they lead to victims being billed for premium services – but phone-owners are usually none the wiser until they take a look at their mobile bills.
Grift Horse arrived in Nov. 2020, & by now, “the total amount stolen could be well into the 100s of millions of Euros,” according to Zimperium researchers, with each victim paying upwards of $40 per month.
70 Countries
Victims range across 70 countries, all packing extra charges that they may not be aware of. Google removed the flagged apps, but Grift Horse is far from stopped: There could be additional Play apps, installs could still be active on peoples’ phones, & the apps remain in many unofficial stores.
If users are unlucky enough to download 1 of the apps, they’ll find themselves “bombarded with alerts on the screen letting them know they had won a prize & need to claim it immediately,” according to Zimperium’s Wed. analysis. “These pop ups reappear no less than 5 times per hour until the application user successfully accepts the offer.”
IP Addresses
This is where it gets sneaky: Upon accepting the invitation for the prize, the malware serves victims selective pages, based on the geolocation of their IP addresses, using the local language & targeted verbiage. Those pages are also dynamically generated to avoid the blacklisting of strings by security solutions.
“These cyber-criminals took great care not to get caught by malware researchers by avoiding hardcoding URLs or reusing the same domains, & filtering/serving the malicious payload based on the originating IP address’s geolocation,” according to the researchers.
Dynamic Analysis
“This method allowed the attackers to target different countries in different ways. This check on the server-side evades dynamic analysis checking for network communication & behaviours.”
The redirect page asks targets to submit their phone numbers for “verification.” In reality, typing in the numbers merely subscribes them to a premium SMS service that charges $42 on average per month (€36), which will show up on their phone bills.
Looking Grift Horse in the Mouth
The creators of the apps have employed several novel techniques to help the apps stay off the radar of security vendors, the analysis found. In addition to the no-reuse policy for URLs mentioned above, the cyber-criminals are also developing the apps using Apache Cordova.
Cordova allows developers to use standard web technologies – HTML5, CSS3 & JavaScript – for cross-platform mobile development – which in turn allows them to push out updates to apps without requiring user interaction.
Malicious Code
“This technology can be abused to host the malicious code on the server & develop an application that executes this code in real-time,” according to Zimperium. “The application displays as a web page that references HTML, CSS, JavaScript & images.”
The campaign is also supported with a sophisticated architecture & plenty of encryption, which makes detection more difficult, according to the researchers.
For instance, when an app is launched, the encrypted files stored in the “assets/www” folder are decrypted using AES. After a bit more unpacking, the core functionality source code uses the GetData() function to establish communication between the application & a 1st-stage command-&-control (C2) server by encrypting an HTTP POST request.
Encrypted Response
The app then receives an encrypted response, which is decrypted using AES to collect a 2nd-stage C2 URL. It also executes a GET request using Cordova’s “InAppBrowser” function to uncover a 3rd-stage URL, & it starts pushing user notifications about the supposed “prize” once an hour, 5 times in a row, according to the analysis.
“The 2nd-stage C2 domain is always the same irrespective of the application or the geolocation of the victim,” researchers explained. “The 3rd-stage URL displays the final page asking for the victim’s phone number & subscribes to several paid services & premium subscriptions.”
JavaScript Code
JavaScript code embedded in the page is responsible for the malicious behaviour of the application, researchers added:
“The interaction between the WebPage and the in-app functions is facilitated by the JavaScript Interface, which allows JavaScript code inside a WebView to trigger actions in the native (application-level) code. This can include the collection of data about the device, including IMEI a IMSI among others.”
Android Fleeceware
Grift Horse is not the only malware that looks to defraud victims via trojanised apps. The well-documented Joker malware, for example, has been circulating since 2017, disguising itself within 100s of common, legitimate apps like camera apps, games, messengers, photo editors, translators & wallpapers.
Once installed, Joker silently simulates clicks & intercepts SMS messages to subscribe victims to unwanted, paid premium services controlled by the attackers. The apps also steal SMS messages, contact lists & device information.
Grift Horse takes a slightly different approach than Joker, but Zimperium warned that it’s just as virulent.
Maximise their Presence
“The threat actors have exerted substantial effort to maximise their presence in the Android ecosystem through a large number of applications, developer accounts & domains,” they said.
“The Grift Horse campaign is 1 of the most widespread campaigns the zLabs threat research team has witnessed in 2021.
The cyber-criminal group behind the Grift Horse campaign has built a stable cash flow of illicit funds from these victims, generating millions in recurring revenue each month with the total amount stolen potentially well into the 100s of millions.”
Detected GriftHorse Apps
- 100% Projector for Mobile Phone
- 3D Camera to Plan
- Amazing Sticky Slime Simulator ASMR\u200f
- Amazing Video Editor
- AR Phone Booster – Battery Saver
- Bag X-Ray 100% Scanner
- Battery Live Wallpaper 4K
- Bus – Metrolis 2021
- Bus Driving Simulator
- Call Blocker-Spam Call Blocker
- Call Blocker-Spam Call Blocker
- Call Recoder Pro
- Call Record Pro
- Call Recorder iCall
- Caller ID & Spam Blocker
- CallerID
- Caller-x
- CallHelp: Second Phone Number
- Chat Translator All Messengers
- CIAO – Live Video Chat
- Cinema Hall: Free HD Movies
- Clap
- Clap To Find My Phone
- ClipBuddy
- Color Call Changer
- Coupons & Gifts: InstaShop
- CutCut Pro
- Daily Horoscope & Life Palmestry
- Dating App – Sweet Meet
- Easy Bass Booster
- Easy TV Show
- Ela-Salaty: Muslim Prayer Times & Qibla Direction
- English Arabic Translator direct
- Face Analyzer
- FastPulse – Heart Rate Monitor
- FindContact
- Fingerprint Changer
- Fingerprint Defender
- Fitness Point
- Fitness Trainer
- Forza H Mobile 4 Ultimate Edition
- Free Calls WorldWide
- Free Coupons 2021
- Free Islamic Stickers 2021
- Free Translator Photo
- FX Keyboard
- Geospot: GPS Location Tracker
- GetContacter
- GPS Phone Tracker – Family Locator
- Handy Translator Pro
- Heart Rate & Meal Tracker
- Heart Rate & Pulse Tracker
- Heart Rate Pro Health Monitor
- Heart Rhythm
- HOO Live – Meet & Chat
- Horoscope : Fortune
- Hunt Contact
- iCare – Find Location
- iConnected Tracker
- Icony
- Idle Gun Tycoo\u202an\u202c
- Instant Speech Translation
- Intelligent Translator Pro
- iSalam Qibla Compass
- iTranslator_ Text & Voice & Photo
- Keyboard Themes
- Keyboard: Virtual Projector App
- KFC Saudi – Get free delivery & 50% off coupons
- Language Translator-Easy&Fast
- Launcher iOS 15
- Launcher iOS for Android
- Lifeel – scan & test
- Live Mobile Number Tracker
- Live Wallpaper & Background
- Loca – Find Location
- Locatoria – Find Location
- Locker Tool
- Ludo Game Classic
- Ludo Speak v2.0
- Mine Easy Translator
- Mobile Things Finder
- My Chat Translator
- My Locator Plus
- OFFRoaders – Survive
- Parallax paper 3D
- Phone Caller Screen 2021
- Phone Finder by Clapping
- Phone Search by Clap
- Phone Control Block Spam Calls
- Photo Effect Pro
- Photo Lab
- Piano Bot Easy Lessons
- PikCho Editor app
- Plant Camera Identifier
- Pony Video Chat-Live Stream
- Proof-Caller
- Prookie-Cartoon Photo Editor
- Pulse App – Heart Rate Monitor
- Qibla AR Pro
- Qibla Compass
- Qibla Compass (Kaaba Locator)
- Qibla correct Quran Coran Koran
- Qibla direction watch (compass)
- Qibla Finder – Qibla Direction
- Qibla Pass Direction
- Qibla Ultimate
- QR Code Reader – Barcode Scanner
- QR Reader Pro
- R Circle – Location Finder
- Racers Car Driver
- Safe Lock
- Scanner App Scan Docs & Notes
- Scanner Pro App: PDF Document
- Screen Mirroring TV Cast
- Second Translate PRO
- Skycoach
- Slime Simulator
- Smart Call Recorder
- Smart Spot Locator
- SnapLens – Photo Translator
- Soul Scanner – Check Your
- Squishy & Pop it
- Stickers Maker for WhatsApp
- Street Cars: pro Racing
- TagsContact
- Translate It – Online App
- Truck – RoudDrive Offroad
- TrueCaller & TrueRecoder
- Vector arts
- Video & Photo Recovery Manager 2
- VPN Zone – Fast & Easy Proxy
- What’s Me Sticker
- WiFi Unlock Password Pro X
- You Frame
- Zodiac : Hand
- Быстрые кредиты 24\7
