More than 10 million Android devices have been infected with the GriftHorse Trojan, which subscribes victims to a premium service without their knowledge.
Specialists from Zimperium zLabs discovered a new malicious campaign, during which more than 10 million Android devices were infected with the GriftHorse Trojan. Cybercriminals distribute a Trojan under the guise of harmless Android applications, in fact, subscribing unsuspecting victims to premium services costing € 36 per month.
The malware campaign started in November 2020 and is currently still active. It has targeted users around the world, including Australia, Brazil, the United Kingdom, Germany, India, Spain, Canada, China, Russia, Saudi Arabia and the United States.
The campaign uses at least 200 trojanized mobile apps, making it one of the largest fraudulent transactions uncovered this year. Malicious apps fall into a variety of categories ranging from Tools and Entertainment to Personalization, Lifestyle and Dating, allowing attackers to scale up their attacks. For example, one such application, Handy Translator Pro, has about 500,000 downloads.
According to a report by Zimperium specialists, usually, fraud with users’ subscription to premium services without their knowledge is carried out using phishing, but in this case, Android applications are used that play the role of Trojans.
Like banking Trojans, GriftHorse does not exploit any vulnerabilities in the operating system but uses social engineering techniques to force users to subscribe to a premium service.
After installing a malicious mobile application, the user is attacked by notifications with a promise of a gift. When the user clicks on this notification, he is redirected to a specific web page (depending on his place of residence), where he needs to enter a phone number for confirmation. However, in reality, by entering their number, the victim, without knowing it, subscribes to the premium service.
The researchers reported their discovery to Google, and the rogue apps were removed from the Play Store. However, they are still available in untrusted third-party repositories.
Catch up on more articles here
Follow us on Twitter here