An Android Trojan, GiftHorse, has infected over 10 million users in over 70 countries, marking rather an unpleasant milestone.
According to the latest post on Zimperium’s mobile security blog, at least 200 malicious apps have been found to contain the new virus, many of which have managed to get past the safeguards by the Google Play Store.
Researchers reveal that this Trojan’s operators have infected enough machines to generate a steady cash flow of illicit payments, “making millions in recurring income each month.”
The “GriftHorse” campaign, which has been active since November 2020, focuses on tricking victims into giving their phone numbers, which are then used for registering subscriptions to premium SMS messaging services.
Victims are tricked into downloading Android applications that appear to be safe and trustworthy. These apps are usually puzzle games, utilities, dating, and food. The most popular malicious translation app has received at least 500,000 downloads.
The GriftHorse Trojan, after installation, bombards the user with notifications, alerting them to a phony prize they’ve won, and then redirects them to a website page based on their geolocation and, thus, their language.
Then, for verification purposes, mobile users are requested to enter their phone numbers. If they provide this information, they are enrolled in premium services “without their knowledge or consent.”
To prevent detection, the malware’s operators employ changing URLs rather than hardcoded ones. This way the attackers were able to bypass dynamic analysis checking:
“These cybercriminals took great care not to get caught by malware researchers by avoiding hardcoding URLs or reusing the same domains and filtering / serving the malicious payload based on the originating IP address’s geolocation. This method allowed the attackers to target different countries in different ways. This check on the server-side evades dynamic analysis checking for network communication and behaviors,” zLabs’ researchers explained.
Google was notified of zLabs’ findings, and the malicious Android applications were quickly deleted from Google Play. These programs, however, can still be found on third-party marketplaces.