More than 10 million Android smartphones have reportedly been affected by a new malware called Grifthorse. Discovered by researchers from mobile security firm Zimperium, the research shows that the threat group had been operating since November 2020. The research firm noted that the Grifthorse malware was distributed through both Google Play and third-party application stores and stole “hundreds of millions of “euro” from affected users. The malware disguised itself within the app’s code. and tricked users into clicking phish links to redirect money to their accounts. Zimperium Research claims that these malicious Android apps first appear “harmless” in terms of their app description and requested permissions; However, they essentially trick users into subscribing to premium services without their knowledge and consent to withdraw money.
In a blog post, the company says that the malicious apps pose a threat to all Android devices by acting as Trojans and charging a premium of around EUR 36 (about Rs 3,100) per month. The campaign has reportedly targeted millions of users from over 70 countries by serving selectively malicious pages to users based on the geographic location of their IP addresses along with the local language. Due to the distribution of these campaigns in local languages, the attack success rate appears to be high. The Grifthorse campaign is one of the most “extensive campaigns” the zLabs threat research team has seen in 2021, the company notes. Grifthorse essentially sends out sophisticated popups and notifications, promising various rewards and special offers. Users who tap on these notifications are redirected to an online page where they are asked to confirm their phone number to access the offer. However, users find themselves subscribing to special SMS services that charge a premium – the latter being redirected to the operator’s account.
Some of the popular apps infected with the Grifthorse malware include Handy Translator Pro, Heart Rate and Pulse Tracker, Geospot: GPS Location Tracker, iCare – Find Location and My Chat Translator. According to the company, users in India are also affected by this. Zimperium, which is a member of the App Defense Alliance, said it contacted Google about all the Grifthorse infected apps, which have now been removed from the Play Store. However, these apps may still be present on third-party app stores.