30th September 2021, Kathmandu
An incipiently discovered “truculent” mobile campaign has infected north of 10 million users from over 70 countries via ostensibly innocuous Android apps that subscribe the individuals to premium accommodations costing €36 (~$42) per month without their erudition.
Zimperium zLabs dubbed the malevolent Trojan “GriftHorse.” The remuneratively lucrative scheme is believed to possess been under active development ranging from November 2020, with victims reported across Australia, Brazil, Canada, China, France, Germany, India, Russia, Saudi Arabia, Spain, the U.K., and the U.S.
No fewer than 200 Trojan applications were utilized within the campaign, making it one among the foremost widespread scams to possess been unearthed in 2021. What’s more, the malignant apps catered to a varied set of categories starting from Implements and Regalement to Personalization, Lifestyle, and Dating, efficaciously widening the size of the assailants. One of the apps, Handy Translator Pro, amassed the maximum amount of 500,000 downloads.
“While typical premium accommodation scams maximize phishing techniques, this concrete ecumenical scam has obnubilated behind malevolent Android applications acting as Trojans, sanctioning it to maximize utilizer interactions for incremented spread and infection,” Zimperium researchers Aazim Yashwant and Nipun Gupta verbally expressed during a report shared with The Hacker News.
“These maleficent Android applications appear innocuous when optically canvassing the shop description and requested sanctions, but this erroneous sense of confidence changes when users get charged month over month for the premium accommodation they get subscribed to without their erudition and consent.”
Like other banking trojans, GriftHorse doesn’t exploit imperfections within the Android OS, but rather convivially engineers users into subscribing their phone numbers to premium SMS accommodations upon downloading the apps.
Following a prosperous infection, the victims are bombarded with illusory alerts promising a free “GIFT” that, when clicked; redirect them to a geo-categorical webpage to submit their phone numbers for verification. “But in authenticity, they’re submitting their telephone number to a premium SMS accommodation that might commence charging their telephone bill over €30 per month,” the researchers verbally expressed.
Following responsible disclosure to Google, the apps are purged from the Play Store. But they perpetuate to be available on untrusted third-party app repositories, once more underscoring the perils related to sideloading arbitrary applications and the way they will emerge as an intrusion route for malware.
“Overall, GriftHorse Android Trojan capitalizes on minuscule screens, local trust, and misinformation to chicane users into downloading and installing these Android Trojans, also frustration or curiosity when accepting the fictitiously unauthentic free prize spammed into their notification screens,” Yashwant and Gupta concluded.
