A heart rate and pulse monitor. A chat translator. A slime simulator. And a “defender” fingerprint. Using more than 200 of these stealthy apps, a group of cybercriminals have created a platform to spread fraudulent content and siphon tens of millions of dollars from victims, mobile security firm Zimperium says in a new analysis.
The platform, which the company has dubbed “GriftHorse,” consists of unpretentious Android apps, the most popular of which recorded less than a million downloads; most had much less. Once installed, these apps would flood the user with five pop-up alerts every hour, letting them know that they’ve won a free giveaway. Clicking on the pop-up will take you to a page that asks for the user’s phone number. If the victim enters their number, the GriftHorse server automatically registers them for several premium SMS services.
Stealth apps have managed to go unnoticed and avoid virus detection, says Richard Melick, director of product strategy for endpoint security at Zimperium.
“The apps themselves are obscurely boring, but there are a lot of them,” he says. “It’s not malware on the surface. Instead, it actually extracts web content in a browser, basically, and bypasses a lot of security.”
Operation GriftHorse was a phenomenal success. Trojan horse applications are installed on between 4 and 17 million devices, have targeted users in more than 70 countries and have probably generated between 1.2 and 3.5 million euros (1.4 to 4.1 million dollars) every month, according to Zimperium researchers. their analysis. The campaign has been active since November 2020.
The success of the operation lies in its sober programs that did not trigger notifications from antivirus tools or Google Play Protect, the service that scans apps before users download them. Trojan horse apps initially did not have malicious code, but instead downloaded features after installation, making their true purpose more difficult to determine.
“These cybercriminals have taken great care not to get caught by malware researchers by avoiding hard-coding URLs or reusing the same domains and filtering [or] serving the malicious payload based on the geolocation of the originating IP address, ”Zimperium researchers state in analysis. “Overall, the GriftHorse Android Trojan takes advantage of small screens, local trust, and misinformation to trick users into downloading and installing these Android Trojans, as well as frustration or failure. curiosity when they accept the fake free price sent in their notification screens. “
Almost half of apps (48%) are classified as tools, while 13% are entertainment. Lifestyle and personalization apps each account for 6%. The rest of the Android apps are scattered across 15 other categories. Google removed the apps after being informed of the scam by Zimperium, the security firm said.
In addition to bypassing virus defenses, the operation was successful for two other reasons. First, annoying pop-ups can make the pattern obvious to some users, but others – used for pop-up advertising – fall victim to the attack.
“Users just want to click [on the ad] and make it go away, “says Melick.” It takes advantage of user engagement with their phone. “
Second, in most cases, premium SMS subscriptions do not come with a notification and can often be hidden on invoices. Watchful consumers have the advantage of recognizing an increase in their monthly bill. Businesses, however, may not notice a higher bill if only a few employees’ phones are compromised, Melick says.
“They run hundreds of phones on one bill, so… that’s a rounding error for them,” he says. “Organizations could lose money every month because they don’t realize this load is happening.”
The successful program also highlights the vulnerability of the decades-old service to premium SMS billing, which is a perfect vehicle for fraud, says Melick. Usually, there are no pending notices of impending charges, so users may not know they are paying for a “premium” service until they see the charge in their bill. .
“Premium SMS is a relic of the pre-Google Play Store and the pre-Apple App Store – there is no longer any reason for it to exist,” he says. “If you want to provide a legitimate service, you’re not going to do it through premium SMS. I can’t think of an honest reason – it should be taken down to the old technology graveyard.”