New Android Trojan Steals Millions of Dollars

It was recently revealed that a malicious mobile campaign infected over 10 million Android users. The victims were from over 70 countries and were signed up for subscriptions to premium services without their knowledge, costing $42 per month.

New Android Trojan Steals Millions of Dollars
New Android Trojan Steals Millions of Dollars | Image credits: The Indian Express

It is one of the most widespread frauds found in 2021, with over 200 trojan programs, making it one of the most sophisticated, according to The Hacker News.  And because they targeted a wide range of categories, including Dating, Tools, Personalization, Entertainment, and Lifestyle, the malicious apps allowed the attacks to be carried out on a far larger scale. Handy Translator Pro, one of the apps, has racked up over 500,000 downloads.

GriftHorse was the name given to the dangerous trojan by Zimperium zLabs. Victims have been recorded in China, Russia, Spain, Australia, Brazil, France, Germany, India, Canada, Saudi Arabia, the United States, and the United Kingdom since November 2020, when the money-making plan is believed to have been actively developed.

Zimperium researchers Nipun Gupta and Aazim Yaswant stated, "While typical premium service scams take advantage of phishing techniques, this specific global scam has hidden behind malicious Android applications acting as Trojans, allowing it to take advantage of user interactions for increased spread and infection,"

They further stated that, despite the store description and permissions asked, these malicious Android apps charge customers on a monthly basis for a premium service in which they are not subscribed.

Victims were scammed by cybercriminals who offered them free gifts

Instead of exploiting Android's vulnerabilities, GriftHorse socially engineers users into subscribing to premium SMS services when they download the apps, similar to how previous banking trojans have done it in the past.

According to the study, these individuals are inundated with deceptive alerts that promise a free GIFT and, when clicked on, bring the user to a geo-specific homepage where their phone numbers are required for verification. What is really happening is that they are voluntarily providing their phone number to a premium SMS service, which will begin charging their phone bill when they have spent 30 euros in a month with them.

Not only was the GriftHorse operation able to operate under the radar and avoid detection by antivirus software, but it also generated millions in recurring revenue every month, with the total amount stolen from these victims potentially exceeding hundreds of millions of dollars, according to the researchers who investigated the case.

After being reported to Google in a responsible manner, the applications were removed from the Play Store. In the meantime, they continue to be hosted by untrusted app repositories, which serves to illustrate the dangers of sideloading arbitrary programs and how malware can utilize them as an entry point.