GriftHorse Android Trojan

GriftHorse Android Trojan Description

A massive attack campaign that has impacted over 10 million Android users has been uncovered by security researchers. They found over 130 weaponized applications that were distributing a new mobile Android Trojan named GriftHorse. The applications spanned numerous different categories and were available on Google Play, as well as third-party app stores. The effort put into these trojanized applications varied greatly, with some possessing basic functionality, while not capable of doing anything. 

The goal of the hackers and the main activity of GriftHorse is to perform a scheme known as 'fleeceware.' It involves subscribing the unsuspecting victims to expensive premium mobile services. The tactic is revealed only when the users receive their next monthly bill from their mobile operator. With the average subscription price being estimated at $42 per month (€36), the researchers believe that the cybercriminals behind GriftHorse have been able to collect hundreds of millions of euros from users spread across 70 countries. 

Attack Details

Once delivered to the user's Android device, GriftHorse begins bombarding them with alerts claiming that they have won a prize that must be claimed immediately. These alerts would be generated at least five times per hour. Upon interacting with the alert, users would be presented with a dynamically generated page based on several factors such as the device's IP address, geolocation, the local language and context-appropriate text. These pages ask the victims to input their phone numbers under the guise of using them as a 'verification' measure. Instead,  the GriftHorse subscribed the victim to a chosen premium mobile service.

Besides the use of non-repeatable pages, and avoiding any hardcoded URLs, the hackers also used additional tactics to avoid detection and remain unnoticed. For example, they developed weaponized applications using Apache Cordova,  which allows them to push updates without the need for any user interaction. Furthermore, the campaign involves sophisticated infrastructure with multiple Command-and-Control servers and strong encryption using the AES cryptographic algorithm.