November 17, 2021 By David Bisson 2 min read

A mobile premium services campaign infected over 10 million Android users with the GriftHorse Trojan.

More Than 200 Malicious Apps in Play

Discovered by Zimperium, the GriftHorse Trojan operation used more than 200 Trojan apps to target Android users all over the world.

The largest proportion of those Trojanized apps used entertainment as a theme at 12.7%. This was followed by personalization, lifestyle and simulation at 5.6%, 5.6% and 4.2%, respectively.

Once installed, a GriftHorse’s app began by pushing notifications on the infected device at least five times an hour. The campaign used that to attract the user’s attention and lure them into using the app.

In the end, Trojan campaign used one of two variants to subscribe the victim to several paid and premium SMS services.

The first version required the user to interact with a ‘Continue’ or ‘Click’ button. Doing so sent an SMS text message subscribing the victim to those services.

The second variant performed the same function as the first. However, it required that the victim enter their phone number and register it with the server’s backend before completing the subscriptions. In total, the Trojan’s operators ran this scam on over 10 million Android users in over 70 countries.

Many of those Trojanized apps charged their victims over €30 ($35) per month. Zimperium determined that attackers were using Google’s Play Store and third-party app services to distribute the malware.

The security firm reported the campaign to Google, whose researchers responded by removing the Trojanized apps from the Play Store. At the time of writing, some of the apps were still up on third-party app stores, however.

Similar Android Trojan Attacks

GriftHorse isn’t the only Android malware that’s sought to entrap victims in paid and premium SMS subscriptions.

In April 2021, for instance, Doctor Web discovered the first malware from AppGallery, the official app store for Huawei Android devices. The threat turned out to be a variant of the Joker malware Trojan that used 10 versions of itself to subscribe victims to premium mobile services.

Several months later, security researcher Lukas Stefanko uncovered another version of the Joker malware Trojan. This one used the Netflix series “Squid Game” as a lure to target victims with ad fraud and unwanted SMS subscriptions.

About a month later, Avast uncovered the UltimaSMS campaign. This used 151 apps on Google’s Play Store to enroll victims in premium SMS services.

How to Defend Against Trojan Attacks Like GriftHorse

Organizations can defend against Trojan attacks on mobile by investing in their security awareness training. Specifically, they can create modules around teaching their employees to download apps from trusted developers on official stores only. They can use that same training to teach employees some of the telltale signs of a mobile premium services campaign, such as constant notifications and suspicious recurring payment card charges.

More from News

FBI, CISA issue warning for cross Apple-Android texting

3 min read - CISA and the FBI recently released a joint statement that the People's Republic of China (PRC) is targeting commercial telecommunications infrastructure as part of a significant cyber espionage campaign. As a result, the agencies released a joint guide, Enhanced Visibility and Hardening Guidance for Communications Infrastructure, with best practices organizations and agencies should adopt to protect against this espionage threat. According to the statement, PRC-affiliated actors compromised networks at multiple telecommunication companies. They stole customer call records data as well…

Zero-day exploits underscore rising risks for internet-facing interfaces

3 min read - Recent reports confirm the active exploitation of a critical zero-day vulnerability targeting Palo Alto Networks’ Next-Generation Firewalls (NGFW) management interfaces. While Palo Alto’s swift advisories and mitigation guidance offer a starting point for remediation, the broader implications of such vulnerabilities demand attention from organizations globally. The surge in attacks on internet-facing management interfaces highlights an evolving threat landscape and necessitates rethinking how organizations secure critical assets. Who is exploiting the NGFW zero-day? As of now, little is known about the…

Will arresting the National Public Data threat actor make a difference?

3 min read - The arrest of USDoD, the mastermind behind the colossal National Public Data breach, was a victory for law enforcement. It also raises some fundamental questions. Do arrests and takedowns truly deter cyberattacks? Or do they merely mark the end of one criminal’s chapter while others rise to take their place? As authorities continue to crack down on cyber criminals, the arrest of high-profile threat actors like USDoD reveals a deeper, more complex reality about the state of global cyber crime.…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today