GriftHorse – New Android Trojan Steals Millions from Over 10 Million Victims Globally

The mobile security firm Zimperium has recently detected an “aggressive” mobile campaign, that is named “GriftHorse,” and it has affected over 10 million users from nearly 70 countries. 

The attacks were conducted via innocuous Android apps that support the people to premium services that are costing €36 (~$42) per month.


GriftHorse is targetting many users and continuously implementing their attacks; if anybody notices this malicious Android application then it would appear harmless after looking at the store description and requested permissions.

But when users get charged month over month for the premium service this false hope gets change, as they get subscribed to without their awareness and consent.

What GriftHorse can do?

The campaign has attacked millions of users from over 70 countries, this malware utilizes a social engineering method that is particularly successful, acknowledging users might feel more informal sharing information to a website in their regional language.

However, after investigating the attack, the analysts asserted that the threat actors took great care so that they won’t get caught by malware experts. 

The threat actors did all this by bypassing strong URLs or reusing the same domains and filtering/serving the malicious payload that is based on the generated IP address’s geolocation.

How GriftHorse works?

The technology that is being used by the operators allows developers to extend updates to apps outwardly demanding the user to update manually. But, the Trojans that are formed in this campaign using the mobile application progress framework that is called Apache Cordova. 

The application generally displays a web page that references HTML, CSS, JavaScript, and images. And it also has a GetData() function that supervises the interaction between the application and the C&C server, it does by encrypting an HTTP POST request along with the value of appConf.

Key features of GriftHorse

Here’s the list of key features of GriftHorse:-

  • It remains completely undetected and was initially reported by any other AV vendors.
  • It has used over 200 Trojan applications in this campaign.
  • Its sophisticated architecture prevented the investigators from investigating the scope of this campaign.
  • To avoid the blocklisting of strings it implements the No-Reuse policy.

Malware makes users subscribe to premium SMS services

Whenever users install such types of malicious apps, GriftHorse immediately starts spotting users with popups and notifications that generally offer several prizes and special offers.

So, here, the users when tap on these notifications, they redirect users to a specially crafted online page. Well on this page they were being asked to verify their phone number in order to obtain the offer.

But after knowing the details, it was confirmed that by giving numbers, users are subscribing themselves to bonus SMS services that credit over €30 ($35) per month, and this same money is being redirected into the GriftHorse operators’ pockets later.

Operators of GriftHorse is making millions

Since these campaigns are quite easy to conduct, and that’s why GriftHorse is making millions of money in monthly profits. The GriftHorse gang is currently making between €1.2 million and €3.5 million per month from this kind of campaign.

That’s why the cybersecurity researchers have highly recommended the users to stay alert, and not to give any kind of personal information outwardly knowing all the details of the source.

You can follow us on LinkedinTwitterFacebook for daily Cyber security and hacking news updates.

BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.