‘Grift Horse’ Money-Stealing Trojan Takes 10m Android Users for a Ride!

‘Grift Horse’ Money-Stealing Trojan Takes 10m Android Users for a Ride!

Over 10m Android users have been given some malware called Grift Horse that’s trojanising various applications & secretly subscribing victims to premium mobile services – a type of billing fraud that researchers categorise as “fleeceware.”

The mobile malware has stolen 100s of millions of dollars from victims globally, using sophisticated techniques.

Zimperium uncovered more than 130 Grift Horse apps being distributed through both Google Play and third-party application stores, across all categories.

Premium Services

Some of them have basic functionality, & some of them do nothing, researchers said. In either case, once installed, they lead to victims being billed for premium services – but phone-owners are usually none the wiser until they take a look at their mobile bills.

Grift Horse arrived in Nov. 2020, & by now, “the total amount stolen could be well into the 100s of millions of Euros,” according to Zimperium researchers, with each victim paying upwards of $40 per month.

70 Countries

Victims range across 70 countries, all packing extra charges that they may not be aware of. Google removed the flagged apps, but Grift Horse is far from stopped: There could be additional Play apps, installs could still be active on peoples’ phones, & the apps remain in many unofficial stores.

If users are unlucky enough to download 1 of the apps, they’ll find themselves “bombarded with alerts on the screen letting them know they had won a prize & need to claim it immediately,” according to Zimperium’s Wed. analysis. “These pop ups reappear no less than 5 times per hour until the application user successfully accepts the offer.”

IP Addresses

This is where it gets sneaky: Upon accepting the invitation for the prize, the malware serves victims selective pages, based on the geolocation of their IP addresses, using the local language & targeted verbiage. Those pages are also dynamically generated to avoid the blacklisting of strings by security solutions.

“These cyber-criminals took great care not to get caught by malware researchers by avoiding hardcoding URLs or reusing the same domains, & filtering/serving the malicious payload based on the originating IP address’s geolocation,” according to the researchers.

Dynamic Analysis

“This method allowed the attackers to target different countries in different ways. This check on the server-side evades dynamic analysis checking for network communication & behaviours.”

The redirect page asks targets to submit their phone numbers for “verification.” In reality, typing in the numbers merely subscribes them to a premium SMS service that charges $42 on average per month (€36), which will show up on their phone bills.

Looking Grift Horse in the Mouth

The creators of the apps have employed several novel techniques to help the apps stay off the radar of security vendors, the analysis found. In addition to the no-reuse policy for URLs mentioned above, the cyber-criminals are also developing the apps using Apache Cordova.

Cordova allows developers to use standard web technologies – HTML5, CSS3 & JavaScript – for cross-platform mobile development – which in turn allows them to push out updates to apps without requiring user interaction.

Malicious Code

“This technology can be abused to host the malicious code on the server & develop an application that executes this code in real-time,” according to Zimperium. “The application displays as a web page that references HTML, CSS, JavaScript & images.”

The campaign is also supported with a sophisticated architecture & plenty of encryption, which makes detection more difficult, according to the researchers.

For instance, when an app is launched, the encrypted files stored in the “assets/www” folder are decrypted using AES. After a bit more unpacking, the core functionality source code uses the GetData() function to establish communication between the application & a 1st-stage command-&-control (C2) server by encrypting an HTTP POST request.

Encrypted Response

The app then receives an encrypted response, which is decrypted using AES to collect a 2nd-stage C2 URL. It also executes a GET request using Cordova’s “InAppBrowser” function to uncover a 3rd-stage URL, & it starts pushing user notifications about the supposed “prize” once an hour, 5 times in a row, according to the analysis.

“The 2nd-stage C2 domain is always the same irrespective of the application or the geolocation of the victim,” researchers explained. “The 3rd-stage URL displays the final page asking for the victim’s phone number & subscribes to several paid services & premium subscriptions.”

JavaScript Code

JavaScript code embedded in the page is responsible for the malicious behaviour of the application, researchers added:

“The interaction between the WebPage and the in-app functions is facilitated by the JavaScript Interface, which allows JavaScript code inside a WebView to trigger actions in the native (application-level) code. This can include the collection of data about the device, including IMEI a IMSI among others.”

Android Fleeceware

Grift Horse is not the only malware that looks to defraud victims via trojanised apps. The well-documented Joker malware, for example, has been circulating since 2017, disguising itself within 100s of common, legitimate apps like camera apps, games, messengers, photo editors, translators & wallpapers.

Once installed, Joker silently simulates clicks & intercepts SMS messages to subscribe victims to unwanted, paid premium services controlled by the attackers. The apps also steal SMS messages, contact lists & device information.

Grift Horse takes a slightly different approach than Joker, but Zimperium warned that it’s just as virulent.

Maximise their Presence

“The threat actors have exerted substantial effort to maximise their presence in the Android ecosystem through a large number of applications, developer accounts & domains,” they said.

“The Grift Horse campaign is 1 of the most widespread campaigns the zLabs threat research team has witnessed in 2021.

The cyber-criminal group behind the Grift Horse campaign has built a stable cash flow of illicit funds from these victims, generating millions in recurring revenue each month with the total amount stolen potentially well into the 100s of millions.”

Detected GriftHorse Apps

  1. 100% Projector for Mobile Phone
  2. 3D Camera to Plan
  3. Amazing Sticky Slime Simulator ASMR\u200f
  4. Amazing Video Editor
  5. AR Phone Booster – Battery Saver
  6. Bag X-Ray 100% Scanner
  7. Battery Live Wallpaper 4K
  8. Bus – Metrolis 2021
  9. Bus Driving Simulator
  10. Call Blocker-Spam Call Blocker
  11. Call Blocker-Spam Call Blocker
  12. Call Recoder Pro
  13. Call Record Pro
  14. Call Recorder iCall
  15. Caller ID & Spam Blocker
  16. CallerID
  17. Caller-x
  18. CallHelp: Second Phone Number
  19. Chat Translator All Messengers
  20. CIAO – Live Video Chat
  21. Cinema Hall: Free HD Movies
  22. Clap
  23. Clap To Find My Phone
  24. ClipBuddy
  25. Color Call Changer
  26. Coupons & Gifts: InstaShop
  27. CutCut Pro
  28. Daily Horoscope & Life Palmestry
  29. Dating App – Sweet Meet
  30. Easy Bass Booster
  31. Easy TV Show
  32. Ela-Salaty: Muslim Prayer Times & Qibla Direction
  33. English Arabic Translator direct
  34. Face Analyzer
  35. FastPulse – Heart Rate Monitor
  36. FindContact
  37. Fingerprint Changer
  38. Fingerprint Defender
  39. Fitness Point
  40. Fitness Trainer
  41. Forza H Mobile 4 Ultimate Edition
  42. Free Calls WorldWide
  43. Free Coupons 2021
  44. Free Islamic Stickers 2021
  45. Free Translator Photo
  46. FX Keyboard
  47. Geospot: GPS Location Tracker
  48. GetContacter
  49. GPS Phone Tracker – Family Locator
  50. Handy Translator Pro
  51. Heart Rate & Meal Tracker
  52. Heart Rate & Pulse Tracker
  53. Heart Rate Pro Health Monitor
  54. Heart Rhythm
  55. HOO Live – Meet & Chat
  56. Horoscope : Fortune
  57. Hunt Contact
  58. iCare – Find Location
  59. iConnected Tracker
  60. Icony
  61. Idle Gun Tycoo\u202an\u202c
  62. Instant Speech Translation
  63. Intelligent Translator Pro
  64. iSalam Qibla Compass
  65. iTranslator_ Text & Voice & Photo
  66. Keyboard Themes
  67. Keyboard: Virtual Projector App
  68. KFC Saudi – Get free delivery & 50% off coupons
  69. Language Translator-Easy&Fast
  70. Launcher iOS 15
  71. Launcher iOS for Android
  72. Lifeel – scan & test
  73. Live Mobile Number Tracker
  74. Live Wallpaper & Background
  75. Loca – Find Location
  76. Locatoria – Find Location
  77. Locker Tool
  78. Ludo Game Classic
  79. Ludo Speak v2.0
  80. Mine Easy Translator
  81. Mobile Things Finder
  82. My Chat Translator
  83. My Locator Plus
  84. OFFRoaders – Survive
  85. Parallax paper 3D
  86. Phone Caller Screen 2021
  87. Phone Finder by Clapping
  88. Phone Search by Clap
  89. Phone Control Block Spam Calls
  90. Photo Effect Pro
  91. Photo Lab
  92. Piano Bot Easy Lessons
  93. PikCho Editor app
  94. Plant Camera Identifier
  95. Pony Video Chat-Live Stream
  96. Proof-Caller
  97. Prookie-Cartoon Photo Editor
  98. Pulse App – Heart Rate Monitor
  99. Qibla AR Pro
  100. Qibla Compass
  101. Qibla Compass (Kaaba Locator)
  102. Qibla correct Quran Coran Koran
  103. Qibla direction watch (compass)
  104. Qibla Finder – Qibla Direction
  105. Qibla Pass Direction
  106. Qibla Ultimate
  107. QR Code Reader – Barcode Scanner
  108. QR Reader Pro
  109. R Circle – Location Finder
  110. Racers Car Driver
  111. Safe Lock
  112. Scanner App Scan Docs & Notes
  113. Scanner Pro App: PDF Document
  114. Screen Mirroring TV Cast
  115. Second Translate PRO
  116. Skycoach
  117. Slime Simulator
  118. Smart Call Recorder
  119. Smart Spot Locator
  120. SnapLens – Photo Translator
  121. Soul Scanner – Check Your
  122. Squishy & Pop it
  123. Stickers Maker for WhatsApp
  124. Street Cars: pro Racing
  125. TagsContact
  126. Translate It – Online App
  127. Truck – RoudDrive Offroad
  128. TrueCaller & TrueRecoder
  129. Vector arts
  130. Video & Photo Recovery Manager 2
  131. VPN Zone – Fast & Easy Proxy
  132. What’s Me Sticker
  133. WiFi Unlock Password Pro X
  134. You Frame
  135. Zodiac : Hand
  136. Быстрые кредиты 24\7

Virtual Conference October 2021

 

SHARE ARTICLE