[TheRecord] New GriftHorse malware has infected more than 10 million Android phones

Security researchers have found a massive malware operation that has infected more than 10 million Android smartphones across more than 70 countries since at least November 2020 and is making millions of dollars for its operators on a monthly basis.

Discovered by mobile security firm Zimperium, the new GriftHorse malware has been distributed via benign-looking apps uploaded on the official Google Play Store and on third-party Android app stores.

Malware subscribes users to premium SMS services

If users install any of these malicious apps, GriftHorse starts peppering users with popups and notifications that offer various prizes and special offers.

Users who tap on these notifications are redirected to an online page where they are asked to confirm their phone number in order to access the offer. But, in reality, users are subscribing themselves to premium SMS services that charge over €30 ($35) per month, money that are later redirected into the GriftHorse operators’ pockets.

Image: Zimperium

Zimperium researchers Aazim Yaswant & Nipun Gupta, who have been tracking the GriftHorse malware for months, described it as “one of the most widespread campaigns the zLabs threat research team has witnessed in 2021.”

But the two Zimperium researchers said that besides numbers, the GriftHorse coders also invested in their malware’s code quality, using a wide spectrum of websites, malicious apps, and developer personas to infect users and avoid detection for as much as possible.

“The level of sophistication, use of novel techniques, and determination displayed by the threat actors allowed them to stay undetected for several months,” Yaswant and Gupta explained.

“In addition to a large number of applications, the distribution of the applications was extremely well-planned, spreading their apps across multiple, varied categories, widening the range of potential victims,” 

Image: Zimperium

GriftHorse is making millions in monthly profits

Based on what they’ve seen until now, the researchers estimated that the GriftHorse gang is currently making between €1.2 million and €3.5 million per month from their scheme ($1.5 million to $4 million per month).

The campaign has been actively under development for several months, starting from November 2020, and the last updated time dates back to April 2021. This means one of their first victims, if they have not shut off the scam, has lost more than €200 at the time of writing. The cumulative loss of the victims adds up to a massive profit for the cybercriminal group.

Aazim Yaswant & Nipun Gupta

Zimperium, which is a member of the App Defense Alliance, said it contacted Google about all the GriftHorse infected apps, which have now been removed from the Play Store.

A list of more than 200 GrifThorse infected apps Zimperium researchers spotted in the wild is available on the company’s research blog.

The post New GriftHorse malware has infected more than 10 million Android phones appeared first on The Record by Recorded Future.

Source: Read More (The Record by Recorded Future)

You might be interested in …

[HackerNews] Break Into Ethical Hacking With 18 Training Courses For Just $42.99

All posts, HackerNews

It is predicted that 3.5 million jobs will be unfilled in the field of cybersecurity by the end of this year. Several of these jobs pay very well, and in most cases, you don’t even need a college degree to get hired. The most important thing is to have the skills and certifications. The All-In-One 2021 […]

Read More

[SecurityWeek] Vulnerabilities Expose exacqVision Video Surveillance Systems to Remote Attacks

All posts, Security Week

Researchers at cybersecurity firm Tenable have discovered critical and high-severity vulnerabilities in video surveillance systems made by Exacq Technologies, which is owned by building technology giant Johnson Controls. read more Source: Read More (SecurityWeek RSS Feed)

Read More

[BleepingComputer] Morgan Stanley reports data breach after vendor Accellion hack

Investment banking firm Morgan Stanley has reported a data breach after attackers stole personal information belonging to its customers by hacking into the Accellion FTA server of a third party vendor. […] Source: Read More (BleepingComputer)

Read More

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.