Grifthorse Android Malware Claims 10 Million Victims Globally In Premium Subscription Scam

Google Android Dolls
Practically everyone owns a mobile device these days, and the majority of them run on Android, the most popular smartphone OS in the world. Don't think that malicious hackers aren't paying attention. Just the opposite, a security firm says it recently discovered an "aggressive mobile premium services campaign" that has infected upwards of 10 million Android devices around the world.

This is an active Trojan attack that has been dubbed GriftHorse, and the campaign is believed to have been running since November 2020. The culprit(s) infected over 200 Android apps with the malicious code, which sprawls over 70 countries. And they weren't just distributed through third-party app stores, they also came from Google's Play Store, according Zimperium zLabs.

To Google's credit, it removed the malicious apps after being informed of their presence and verifying that they were, in fact, up to no good. However, Android users should be aware that they are still floating around third-party app stores, so side-load apps at your own risk (which is always the case, really).

These are essentially banking Trojans, and Zimperium estimates that they have led to the theft of the hundreds of millions of dollars.

"These malicious Android applications appear harmless when looking at the store description and requested permissions, but this false sense of confidence changes when users get charged month over month for the premium service they get subscribed to without their knowledge and consent," Zimperium explains.

Android Gift Pop-Up
Source: Zimperium

The basic rundown of how this works is, a user downloads and installs an app they think is legitimate, but that contains the GriftHorse malware. They then start to see pop-ups, like the one above, purporting to offer free gifts and other incentives to get the victim to tap. If they do, they are asked to provide their phone number, and are unwittingly signed up to several paid services and premium subscriptions.

"In addition to a large number of applications, the distribution of the applications was extremely well-planned, spreading their apps across multiple, varied categories, widening the range of potential victims," the security firm states.

Each of the victims that fall for the ruse end up being charged over €30 (~$35 in US currency) per month. And the charges are recurring until they notice what is happening and take action to end the subscription(s).

A single victim is not exactly a financial windfall, though they could stand to lose hundreds of dollars over time. But when you're talking about 10 million GriftHorse victims, or more, it adds up fast—up to around $4 million per month, it is estimated.

As always, be careful of what you download and where you download your apps from, and be wary of ones that ask for unusual permissions.