10 Million Android Devices Have Been Infiltrated by GriftHorse Trojan Apps

Disguised as legitimate apps, the GriftHorse malware has found its way onto more than 10 million Android devices. Learn how to determine whether your phone is one of them.

Mobile malware dubbed GriftHorse has found its way onto more than 10 million Android devices in more than 70 countries, including the United States. Cybercriminals are using GriftHorse to carry out billing fraud. “The cybercriminal group behind the GriftHorse campaign has built a stable cash flow of illicit funds from these victims, generating millions in recurring revenue each month with the total amount stolen potentially well into the hundreds of millions,” according to the Zimperium zLabs researchers who discovered the malware.


How the Attack Works

GriftHorse is a trojan horse — in other words, malware disguised as a legitimate program or file. In the GriftHorse campaign, the cybercriminals created more than more than 200 trojan apps covering a wide variety of interests (e.g., dating, entertainment, finance, music, utilities) to get a broad pool of potential victims. The cybercriminals posted the trojan apps in the Google Play store and other third-party app sites.

Although Google immediately removed the GriftHorse trojan apps from its store once it learned about them from the researchers, they are still posted on some third-party app sites. “These malicious Android applications appear harmless when looking at the store description and requested permissions,” noted the researchers. But these apps are far from harmless. Android users who download and install them will be blasted with popups (at least five per hour) telling them they have received a gift or won a prize. To claim it, all they need to do is click the provided link. The link leads to a geo-specific web page that asks them to submit their mobile phone numbers for verification purposes.

If the Android users comply, the malware uses their mobile phone numbers to subscribe them to premium SMS services, without their knowledge or consent. Premium SMS services allow one party (e.g., a company or charity) to collect money from a second party (e.g., a customer or donor) via text message. The amount due appears as a charge on the second party’s mobile phone bill. GriftHorse victims usually find a fraudulent charge of $35 or more per month on their bills. If the victims do not regularly check their phone bills, they might not even realize the charge is there.


Is Your Phone Infected?

If you have an Android phone, you might want to determine whether it has been infiltrated by a GriftHorse trojan app. Fortunately, the researchers have created a list of apps known to conceal GriftHorse. Although the list is not alphabetized, you can use your browser’s Find functionality to check the apps you have installed on your device against this list. If any of your apps are on the list, you should uninstall them.


Other Measures You Can Take to Protect Your Phone from Trojan Apps

Admittedly, spotting trojan apps like GriftHorse in app stores can be hard if they are well designed. However, there are measures you can take to protect your Android phone from trojan apps and the malware they harbor:

  • Install only those apps you need. Every app installed on your device presents a security risk. Thus, it is best to keep the number of apps to a minimum.
  • Install apps only from official app stores such as Google Play. Although trojan apps sometimes find their way into the official app stores, the risk is much greater if you download apps from third-party sites. Plus, official app stores are quick to remove apps that are found to be malicious.
  • Research any app you want to install on your Android device, even if you will be downloading it from an official app store. Look at the program’s user ratings and reviews in the app store. In addition, perform Internet searches on both the program and its developer to see if there have been any security issues in the past.
  • Pay attention to permissions. Watch for permissions that seem excessive for what a program does. Although the GriftHorse trojan app’s requested permissions were not excessive, that is not always the case. Be particularly wary of apps that ask to become a device administrator, as this will allow the apps to control your phone.
  • Make sure the Android operating system software is updated. System updates patch known vulnerabilities, which helps reduce the number of exploitable entry points.
  • Use a security solution to detect and block known malware. Some solutions will even scan apps for suspicious elements before you install them.

Google Android Apps flickr photo by Visual Content shared under a Creative Commons (BY) license