You Really Should look a “GiftHorse” in the Mouth

9642156265?profile=RESIZE_400xAn Android Trojan has now achieved a victim count of over 10 million in at least 70 countries.  Researchers say the infections are generating millions of dollars a month in recurring revenue.  According to Zimperium zLabs, the new malware has been embedded in at least 200 malicious applications, many of which have managed to circumvent the protections offered by the Google Play Store, the official repository for Android apps.

The researchers say that the operators behind the Trojan have managed to infect so many devices that a stable cash flow of illicit funds, "generating millions in recurring revenue each month," has been established.  Believed to have been in operation since November 2020, the "GriftHorse" campaign relies on victims being duped into handing over their phone number, which is then used to subscribe them to premium SMS messaging services.

Victims first download Android apps that appear innocent and legitimate.  These apps vary from puzzle games and utilities to dating software, food, and drink, with the most popular malicious app a translator accounting for at least 500,000 downloads.

Upon installation, however, the GriftHorse Trojan, written in Apache Cordova, constantly bombards the user with messages, alerting them to a fake prize they have won and then redirecting them to a website page based on their geolocation, and, therefore, their language.  This scam is being used by threat actors pretending to be from the AT&T wireless billing department. The text offers you a “Free gift” for paying your monthly bill.  Since the app is driven by country, the message refers to you as Robert, Charles, James, etc., common North American names.

Mobile users are then asked to submit their phone numbers for verification purposes. If they submit this information, they are then subscribed to premium services "without their knowledge and consent," zLabs noted.

Some of the charges are upward of €30 ($35) per month, and if a victim does not notice this suspicious transaction, then they could, theoretically, be charged for months on end with little hope of ever clawing back their cash.

To avoid discovery, the malware's operators use changeable URLs rather than hardcoded addresses.  "This method allowed the attackers to target different countries in different ways," the team says. "This check on the server-side evades dynamic analysis checking for network communication and behaviors."

zLabs reported its findings to Google who promptly removed the Android apps marked as malicious from Google Play. However, these apps are still available on third-party platforms.

Apps you should uninstall today:

  • My Locator Plus
  • iSalam Qibla Compass
  • Language Translator-Easy&Fast
  • WiFi Unlock Password Pro X
  • Pony Video Chat-Live Stream
  • Zodiac : Hand
  • Ludo Game Classic
  • Loca – Find Location
  • Easy TV Show
  • Qibla correct Quran Coran Koran
  • Dating App – Sweet Meet
  • R Circle – Location Finder
  • TagsContact
  • Ela-Salaty: Muslim Prayer Times & Qibla Direction
  • Qibla Compass
  • Soul Scanner – Check Your
  • CIAO – Live Video Chat
  • Plant Camera Identifier
  • Color Call Changer
  • Squishy and Pop it
  • Keyboard: Virtual Projector App
  • Scanner Pro App: PDF Document
  • QR Reader Pro
  • FX Keyboard
  • You Frame
  • Call Record Pro
  • Free Islamic Stickers 2021
  • QR Code Reader – Barcode Scanner

  • Bag X-Ray 100% Scanner
  • Phone Caller Screen 2021
  • Translate It – Online App
  • Mobile Things Finder
  • Proof-Caller
  • Phone Search by Clap
  • Second Translate PRO
  • CallerID
  • 3D Camera To Plan
  • Qibla Finder – Qibla Direction
  • Stickers Maker for WhatsApp
  • Qibla direction watch (compass)
  • Piano Bot Easy Lessons
  • CallHelp: Second Phone Number
  • FastPulse – Heart Rate Monitor
  • Caller ID & Spam Blocker
  • Free Coupons 2021
  • KFC Saudi – Geta free delivery and 50% off coupons
  • Skycoach
  • HOO Live – Meet and Chat
  • Easy Bass Booster
  • Coupons & Gifts: InstaShop
  • FindContact
  • Launcher iOS for Android
  • Call Blocker-Spam Call Blocker
  • Live Mobile Number Tracker

  • Pulse App – Heart Rate Monitor
  • Video & Photo Recovery Manager 2
  • Быстрые кредиты 24\7
  • Fitness Trainer
  • ClipBuddy
  • Vector arts
  • Ludo Speak v2.0
  • Battery Live Wallpaper 4K
  • Heart Rate Pro Health Monitor
  • Locatoria – Find Location
  • GetContacter
  • Photo Lab
  • AR Phone Booster – Battery Saver
  • English Arabic Translator direct
  • VPN Zone – Fast & Easy Proxy
  • 100% Projector for Mobile Phone
  • Forza H Mobile 4 Ultimate Edition
  • Amazing Sticky Slime Simulator ASMR\u200f
  • Clap To Find My Phone
  • Screen Mirroring TV Cast
  • Free Calls WorldWide

Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization and can offer tools and support for a proactive cyber intelligence program.  This will provide your CISO or virtual CISO to block (black list) attacks using the malicious indicators collected by our analysts.  For questions, comments, or assistance, please contact the office directly at 1-844-492-7225, or feedback@wapacklabs.com

Weekly Cyber Intelligence Briefings:

Weekly Cyber Intelligence Briefings:

REDSHORTS - Weekly Cyber Intelligence Briefings

https://attendee.gotowebinar.com/register/3702558539639477516

 

E-mail me when people leave their comments –

You need to be a member of Red Sky Alliance to add comments!