blog posts

GriftHorse malware has infected more than 10 million Android devices

GriftHorse malware has infected more than 10 million Android devices

An Android malware called GriftHorse has stolen millions of dollars from its victims through Play Store apps.

Google has always tried to clean the Play Store from infected applications, But it has not had much success in this area. The company is constantly removing infected apps, and in a recent effort removed about 200 apps in various categories from the Play Store, all of which were infected with the HorseReader malware. The trojan has infected more than 10 million Android devices so far.

According to statistics, Android is up to 47% more vulnerable to malware than iOS due to its open-source nature; But Apple has also recently performed poorly in the security of its mobile operating system. Of course, there is no denying that the Android platform is a more attractive option for malware developers, and these people take every opportunity to release the infected application in the Google mobile ecosystem.

According to research by Zimperium Zilebes, a new Android trojan called Grifthorse has been included in more than 200 applications in various categories, all of which have been approved and published in the Play Store as well third-party stores. The malware has infected more than 10 million Android devices in 70 countries and stolen tens of millions of dollars from its victims.

The GriftHorse Threat Actors

The GriftHorse campaign is one of the most widespread campaigns the zLabs threat research team has witnessed in 2021, attributing its success to the rarely seen combination of features:

  • Completely undetected and reported by any other AV vendors;
  • More than 200 Trojan applications were used in the campaign;
  • Sophisticated architecture preventing the investigation of the extent of this campaign; and
  • No-Reuse policy to avoid the blocklisting of strings.

The level of sophistication, use of novel techniques, and Also determination displayed by the threat actors allowed them to stay undetected for several months.

In addition to a large number of applications, the distribution of the applications was extremely well-planned, spreading their apps across multiple, varied categories, widening the range of potential victims.

All apps infected by GriftHorse

  • Handy Translator Pro
  • Heart Rate and Pulse Tracker
  • Geospot: GPS Location Tracker
  • iCare – Find Location
  • My Chat Translator
  • Bus – Metrolis 2021
  • Free Translator Photo
  • Locker Tool
  • Fingerprint Changer
  • Call Recoder Pro
  • Instant Speech Translation
  • Racers Car Driver
  • Slime Simulator
  • Keyboard Themes
  • What’s Me Sticker
  • Amazing Video Editor
  • Safe Lock
  • Heart Rhythm
  • Smart Spot Locator
  • CutCut Pro
  • OFFRoaders – Survive
  • Phone Finder by Clapping
  • Bus Driving Simulator
  • Fingerprint Defender
  • Lifeel – scan and test
  • Launcher iOS 15
  • Idle Gun Tycoou202anu202c
  • Scanner App Scan Docs & Notes
  • Chat Translator All Messengers
  • Hunt Contact
  • Icony
  • Horoscope: Fortune
  • Fitness Point
  • Qibla AR Pro
  • Heart Rate and Meal Tracker
  • Mine Easy Translator
  • PhoneControl Block Spam Calls
  • Parallax paper 3D
  • SnapLens – Photo Translator
  • Qibla Pass Direction
  • Caller-x
  • Clap
  • Photo Effect Pro
  • iConnected Tracker
  • Smart Call Recorder
  • Daily Horoscope & Life Palmistry
  • Qibla Compass (Kaaba Locator)
  • Pookie-Cartoon Photo Editor
  • Qibla Ultimate
  • Truck – RoudDrive Offroad
  • GPS Phone Tracker – Family Locator
  • Call Recorder iCall
  • PikCho Editor app
  • Street Cars: pro Racing
  • Cinema Hall: Free HD Movies
  • Live Wallpaper & Background
  • Intelligent Translator Pro
  • Face Analyzer
  • TrueCaller (NOT Truecaller, by True Software Scandinavia AB)
  • TrueRecoder
  • iTranslator_ Text & Voice & Photo
  • Pulse App – Heart Rate Monitor
  • Video & Photo Recovery Manager 2
  • Быстрые кредиты 247
  • Fitness Trainer

And many other apps that are infected by GriftHorse …

The researchers explained in their report that the Griffiths campaign was active from November 2020 to April 2021

When people install one of these infected apps on GridHorse, the malware will display a large number of pop-up notifications and pop-ups, which include special discounts and various rewards. People who tap on these announcements and messages will be taken to a web page and will have to register and then confirm their mobile number to access the prizes and discounts.

The victims of the Griffiths will, in effect, subscribe to a paid subscription service for which they will have to pay $ 35 a month. The malware makers have made between $ 1.5 million and $ 4 million a month using this method. Thus, the first victims of this trojan, if they had not stopped using it, would probably have lost more than $ 230.

Two great Zimpurium researchers, Yashwant and Nippon Gupta point out that GridHorse is a sophisticated malware campaign

And its developers have used high-quality code and various infected websites and applications to publish their applications in most categories. Also, Zimperium has notified Google of the malware, and the company has removed infected applications from its software store. Of course, it is still possible to download infected apps in third-party stores.

Conclusion

The numerical stats reveal that more than 10 million Android users fell victim to this campaign globally, suffering financial losses while the threat group grew wealthier and motivated with time. And while the victims struggle to get their money back, the cybercriminals made off with millions of Euros through this technically novel and effective Trojan campaign. Also, This is not the first time such an attack has occurred on Android. In 2018, security company Vandra discovered a similar malware that sent text messages to paid services. Given the complexity of the Griffiths campaign, So it seems that the developers of this malware have been spreading it for a long time.