GriftHorse malware has infected 10 million Android devices • The Register
You may be advised not to look a gift horse in the mouth for fear of appearing ungrateful and jeopardizing its health. But you’ll probably want to look at your Android phone for GriftHorse, or rather one of the 200 or so apps with different names that embed the malicious code.
Mobile security company Zimperium, which first identified the GriftHorse Android Trojan, says the malware has infected more than 10 million Android devices worldwide; a fraction of a percent of active droid devices, but still misery for literally millions of people.
In a blog post published Wednesday, Zimperium researchers Aazim Yaswant and Nipun Gupta said the Trojan code dubbed GriftHorse has been spotted in more than 200 malicious apps in at least 70 different countries and has plagued Android phones since November 2020.
Zimperium is teaming up with Google to defend the advertising giant’s Play Store and has thus already informed the Chocolate Factory of its conclusions. Google, we are told, has already tamed its online souk. So, reviewing the long list of affected apps in Zimperium’s blog post is probably not necessary for Android devices linked to Google Play.
But the subversive code can still be present in Android apps distributed through third-party stores, the researchers said, coincidentally echoing a favored talking point by Google and Apple about maintaining control of their app store for more. security reasons.
GriftHorse apps are designed to subscribe Android users to premium services without their authorization, which incurs a fee of around € 36 per month ($ 42) until they are noticed and canceled by the victim . This particular scam, researchers speculate, may have earned the creators of GriftHorse several million dollars.
“In the event of infection, the victim is bombarded with on-screen alerts letting them know that they have won a prize and must claim it immediately,” Yaswant and Gupta explain. “These pop-ups reappear no less than five times per hour until the app user successfully accepts the offer.”
Once the user agrees, they explain, the malicious code redirects the victim to a web page suitable for their specific location which then asks for a phone number as verification. This number is in fact subject to a subscription to a premium SMS service which adds a supplement to the victim’s monthly mobile bill.
Once installed, a GriftHorse application recovers encrypted files stored in the
assets/www APK file and decrypts them using
AES/CBC/PKCS5Padding. The resultant
index.html file is then loaded through the Android WebView class. It is related to a
js/index.js which sets up a Google Advertising ID and makes a POST request with an encrypted payload to the Command and Control (C2C) server.
The server responds with more encrypted data – the second step C&C URL, which is used to make a GET request through Cordova’s InAppBrowser to retrieve configuration data to send gift notifications.
The researchers note that GriftHorse’s success can in part be attributed to the non-reuse of common strings in app code, which avoids pattern-based detection and blocking.
The register asked Google if they anticipate the need to limit the update mechanisms used in Android apps built with Apache Cordova, but we haven’t heard back. ®