Sneaky Android Trojan Siphons Millions Using Premium SMS

More than 200 applications on the Google Play store have, until recently, allowed cybercriminals to deliver malicious Web content to victims' phones, likely garnering tens of millions of dollars.

4 Min Read
Categories of GriftHorse Android apps available, until recently, on the Google Play storeSource: Zimperium

A heart rate and pulse tracker. A chat translator. A slime simulator. And a fingerprint "defender." Using more than 200 such low-key applications, a cybercriminal group created a platform for delivering fraudulent content and siphoned tens of millions of dollars from victims, mobile security firm Zimperium states in a new analysis. 

The platform, which the company dubbed "GriftHorse," consists of unassuming Android apps — the most popular of which had less than 1 million downloads; most had far fewer. When installed, these apps would inundate the user with five popup alerts every hour, notifying them they won a free gift. Clicking through the popup leads to a page that asks for the user's phone number. If the victim enters their number, the GriftHorse server automatically signs them up for several premium SMS text services.

The understated applications managed to fly under the radar and avoid antivirus detection, says Richard Melick, director of product strategy for endpoint security at Zimperium.

"The application themselves are obscurely boring, but there are a lot of them," he says. "They are not malware on the surface. Instead, they are actually pulling in Web content in a browser, essentially, and bypassing a lot of security."

The GriftHorse operation has been phenomenally successful. The Trojan applications are installed on between 4 million and 17 million devices, have targeted users in more than 70 countries, and likely generated between €1.2 million and €3.5 million (USD$1.4 million to USD$4.1 million) every month, Zimperium researchers state in their analysis. The campaign has been active since November 2020.

The success of the operation is in its understated programs that did not trigger notifications from antivirus tools or Google Play Protect, the service that scans apps before users download them. The Trojan horse applications did not initially have malicious code but instead downloaded the capabilities after installation, making their true purpose harder to determine.

"These cybercriminals took great care not to get caught by malware researchers by avoiding hardcoding URLs or reusing the same domains and filtering [or] serving the malicious payload based on the originating IP address’s geolocation," Zimperium researchers state in the analysis. "Overall, GriftHorse Android Trojan takes advantage of small screens, local trust, and misinformation to trick users into downloading and installing these Android Trojans, as well frustration or curiosity when accepting the fake free prize spammed into their notification screens."

Almost half of the apps (48%) are classified as tools, while 13% are entertainment. Lifestyle and personalization applications each make up 6%. The rest of the Android apps are scattered across 15 other categories. Google removed the applications after being notified of the scam by Zimperium, the security firm said.

In addition to sneaking past antivirus defenses, the operation succeeded for two other reasons. First, the annoying popups may make the scheme obvious to some users, but others — used to popup advertising — are falling victim to the attack.

"Users just want to click [on the ad] and make it go away," Melick says. "It takes advantage of the user's engagement with their phone."

Second, in most cases, premium SMS subscriptions do not come with a notification and can often be hidden on bills. Vigilant consumers have an advantage in that they can recognize an increase in their monthly bill. Companies, however, may not notice a higher bill if only a few employees' phones are compromised, Melick says.

"They are managing hundreds of phones on a single bill, so ... this is a rounding error for them," he says. "Organizations could be losing money every month because they don't realize this charge is happening."

The successful scheme also highlights the vulnerability of the decades-old service for charging for premium SMS messages, which is a perfect vehicle for fraud, says Melick. Usually, there is no ongoing notice of an impending charge, so users may not know they paying for a "premium" service until they detect the charge in their bill.

"Premium SMS is a relic of pre-Google Play Store and pre-Apple App Store — there is no reason for it to exist anymore," he says. "If you want to deliver a legitimate service, you are not going to do it through premium SMS. I can't think of an honest reason — it should be retired to the graveyard of old tech."

About the Author(s)

Robert Lemos, Contributing Writer

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline Journalism (Online) in 2003 for coverage of the Blaster worm. Crunches numbers on various trends using Python and R. Recent reports include analyses of the shortage in cybersecurity workers and annual vulnerability trends.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights