Research and writeup by Aazim Yaswant and Nipun Gupta
With the increase of mobile device use in everyday life, it is no surprise to see cybercriminals targeting these endpoints for financial crimes. Zimperium zLabs recently discovered an aggressive mobile premium services campaign with upwards of 10 million victims globally, and the total amount stolen could be well into the hundreds of millions of Euros. While typical premium service scams take advantage of phishing techniques, this specific global scam has hidden behind malicious Android applications acting as Trojans, allowing it to take advantage of user interactions for increased spread and infection.
These malicious Android applications appear harmless when looking at the store description and requested permissions, but this false sense of confidence changes when users get charged month over month for the premium service they get subscribed to without their knowledge and consent.
The Zimperium zLabs researchers discovered this global premium services Trojan campaign through a rise in specific alerts from our z9 on-device malware detection engine, which detected and reported the true nature of these malicious Android applications.
Forensic evidence of this active Android Trojan attack, which we have named GriftHorse, suggests that the threat group has been running this campaign since November 2020. These malicious applications were initially distributed through both Google Play and third-party application stores. Zimperium zLabs reported the findings to Google, who verified the provided information and removed the malicious applications from the Google Play store. However, the malicious applications are still available on unsecured third-party app repositories, highlighting the risk of sideloading applications to mobile endpoints and user data and needing advanced on-device security.
Disclosure: As a key member of the Google App Defense Alliance, Zimperium scans applications before publishing and provides an ongoing analysis of Android apps in the Google Play Store.
In this blog, we will:
Cover the capabilities of the GriftHorse Trojan;
Discuss the architecture of the applications;
Show the communication with the C&C server; and
Explore the global impact of the GriftHorse campaign.
What can the GriftHorse Android Trojan do?
The mobile applications pose a threat to all Android devices by functioning as a Trojan that subscribes unsuspecting users to paid services, charging a premium amounting to around 36 Euros per month.
The campaign has targeted millions of users from over 70 countries by serving selective malicious pages to users based on the geo-location of their IP address with the local language. This social engineering trick is exceptionally successful, considering users might feel more comfortable sharing information to a website in their local language.
Upon infection, the victim is bombarded with alerts on the screen letting them know they had won a prize and needed to claim it immediately. These pop ups reappear no less than five times per hour until the application user successfully accepts the offer. Upon accepting the invitation for the prize, the malware redirects the victim to a geo-specific webpage where they are asked to submit their phone numbers for verification. But in reality, they are submitting their phone number to a premium SMS service that would start charging their phone bill over €30 per month. The victim does not immediately notice the impact of the theft, and the likelihood of it continuing for months before detection is high, with little to no recourse to get one’s money back.
These cybercriminals took great care not to get caught by malware researchers by avoiding hardcoding URLs or reusing the same domains and filtering / serving the malicious payload based on the originating IP address’s geolocation. This method allowed the attackers to target different countries in different ways. This check on the server-side evades dynamic analysis checking for network communication and behaviors.
Overall, GriftHorse Android Trojan takes advantage of small screens, local trust, and misinformation to trick users into downloading and installing these Android Trojans, as well frustration or curiosity when accepting the fake free prize spammed into their notification screens.
How does the GriftHorse Android Trojan work?
The Trojans are developed using the mobile application development framework named Apache Cordova. Cordova allows developers to use standard web technologies – HTML5, CSS3, and JavaScript for cross-platform mobile development. This technology enables developers to deploy updates to apps without requiring the user to update manually.
While this framework should provide the user a better experience and security, the very same technology can be abused to host the malicious code on the server and develop an application that executes this code in real-time. The application displays as a web page that references HTML, CSS, JavaScript, and images.
Upon installation and launch of the application, the encrypted files stored in the “assets/www” folder of the APK is decrypted using “AES/CBC/PKCS5Padding”. After decryption, the file index.html is then loaded using the WebView class.
Figure 1: The application code containing Key, IV, and file types to decrypt dynamically
The core functionality source code lies in the js/index.js file that calls onDeviceReady function which adds “Google Advertising ID (AAID) for Android devices” to appConf. The data structure appConf is populated with AppsFlyerUID collected after initializing AppsFlyer (React Native AppsFlyer plugin) using the devKey. Following necessary checks, the program control is given to GetData().
Figure 4: The contents of index.js file that calls GetData()
The GetData() function handles the communication between the application and the C&C server by encrypting an HTTP POST request with the value of appConf.
Figure 5: The GetData() function that communicates with the C&C server
The request and response network communication with the server can be seen in the following screenshots, where the parameter “d” is the encrypted ciphertext of appConf.
The received encrypted response is decrypted using AES to collect the second-stage C&C URL and executes a GET request using Cordova’s InAppBrowser. The decrypted contents of the above communication can be seen in the following screenshots.
Figure 9: The decrypted content of the response from the first-stage C&C server
Figure 8: The decrypted content of the POST request to the first-stage C&C server
The configuration for pushing the notifications is received in the response and displayed every one hour for five times as seen in the below screenshot. The motive of this repetitive notification pushing is to grab the user’s attention and navigate to the application.
The second-stage C&C domain is always the same irrespective of the application or the geolocation of the victim, and the GET request to this server navigates the browser to the third-stage URL. An example of the response can be seen below.
The third-stage URL displays the final page asking for the victim’s phone number and subscribes to several paid services and premium subscriptions.
The JavaScript code embedded in the page is responsible for the malicious behavior of the application due to the interaction between the Web and Mobile resources. Some examples of the displayed page and the malicious JS codes are shown below.
There are two variants of the campaign differing by the interaction with the victim:
First Variant: Displays a “Continue” or “Click” Button, clicking on which initiates an SMS sending action as shown in the above screenshots. This URI is parsed. Example: “sms:1252?body=TREND frcql1sm”.
Second Variant: Requests the victim’s phone number to be entered and registered with the server’s backend. Then the malicious behavior is the same as the first variant.
The interaction between the WebPage and the in-app functions is facilitated by the JavaScript Interface, which allows JavaScript code inside a WebView to trigger actions in the native(application) level code. This can include the collection of data about the device, including IMEI, and IMSI among others.
The GriftHorse Threat Actors
The GriftHorse campaign is one of the most widespread campaigns the zLabs threat research team has witnessed in 2021, attributing its success to the rarely seen combination of features:
Completely undetected and reported by any other AV vendors;
More than 200 Trojan applications were used in the campaign;
Sophisticated architecture preventing the investigation of the extent of this campaign; and
No-Reuse policy to avoid the blocklisting of strings.
The level of sophistication, use of novel techniques, and determination displayed by the threat actors allowed them to stay undetected for several months.
In addition to a large number of applications, the distribution of the applications was extremely well-planned, spreading their apps across multiple, varied categories, widening the range of potential victims.
The following chart shows the category distribution of the apps found:
The Victims of GriftHorse Trojan
The campaign is exceptionally versatile, targeting mobile users from 70+ countries by changing the application’s language and displaying the content according to the current user’s IP address. Based on the collected intel, GriftHorse has infected over 10 million victim’s devices in the last few months.
The cybercriminal group behind the GriftHorse campaign has built a stable cash flow of illicit funds from these victims, generating millions in recurring revenue each month with the total amount stolen potentially well into the hundreds of millions. Each of the victims is charged over €30 per month, leading to recurring financial loss until they manage to rectify the issue by contacting their SIM operator.
The campaign has been actively under development for several months, starting from November 2020, and the last updated time dates back to April 2021. This means one of their first victims, if they have not shut off the scam, has lost more than €200 at the time of writing. The cumulative loss of the victims adds up to a massive profit for the cybercriminal group.
Figure 21: Heatmap of the over 10 million victims spread across over 70 countries
Zimperium vs. GriftHorse Android Trojan
Zimperium zIPS customers are protected against GriftHorse Trojan with our on-device z9 Mobile Threat Defense machine learning engine.
To ensure your Android users are protected from GriftHorse Trojan, we recommend a quick risk assessment. Any application with GriftHorse will be flagged as a Suspicious App Threat on the device and in the zConsole. Admins can also review which apps are sideloaded onto the device that could be increasing the attack surface and leaving data and users at risk.
Summary of GriftHorse Android Trojan
The threat actors have exerted substantial effort to maximize their presence in the Android ecosystem through a large number of applications, developer accounts, and domains. The Zimperium zLab researchers have noticed the technique of abusing cross-platform development frameworks to stay undetected has been on the rise, making it more difficult for legacy mobile AV providers to detect and protect their customers.
The timeline of the threat group dates back to November 2020, suggesting that their patience and persistence will probably not come to an end with the closing down of this campaign. The threat to Android users will always be present, considering the innovative approaches used by malicious actors to infect the victims.
The numerical stats reveal that more than 10 million Android users fell victim to this campaign globally, suffering financial losses while the threat group grew wealthier and motivated with time. And while the victims struggle to get their money back, the cybercriminals made off with millions of Euros through this technically novel and effective Trojan campaign.
Indicators of Compromise
List of Applications
Package Name
App Name
Min
Max
com.tra.nslat.orpro.htp
Handy Translator Pro
500,000
1,000,000
com.heartratteandpulsetracker
Heart Rate and Pulse Tracker
100,000
500,000
com.geospot.location.glt
Geospot: GPS Location Tracker
100,000
500,000
com.icare.fin.loc
iCare – Find Location
100,000
500,000
my.chat.translator
My Chat Translator
100,000
500,000
com.bus.metrolis.s
Bus – Metrolis 2021
100,000
500,000
com.free.translator.photo.am
Free Translator Photo
100,000
500,000
com.locker.tul.lt
Locker Tool
100,000
500,000
com.fin.gerp.rint.fc
Fingerprint Changer
100,000
500,000
com.coll.rec.ord.er
Call Recoder Pro
100,000
500,000
instant.speech.translation
Instant Speech Translation
100,000
500,000
racers.car.driver
Racers Car Driver
100,000
500,000
slime.simu.lator
Slime Simulator
100,000
500,000
keyboard.the.mes
Keyboard Themes
100,000
500,000
whats.me.sticker
What’s Me Sticker
100,000
500,000
amazing.video.editor
Amazing Video Editor
100,000
500,000
sa.fe.lock
Safe Lock
100,000
500,000
heart.rhy.thm
Heart Rhythm
100,000
500,000
com.sma.spot.loca.tor
Smart Spot Locator
100,000
500,000
cut.cut.pro
CutCut Pro
100,000
500,000
com.offroaders.survive
OFFRoaders – Survive
100,000
500,000
com.phon.fin.by.cl.ap
Phone Finder by Clapping
100,000
500,000
com.drive.bus.bds
Bus Driving Simulator
100,000
500,000
com.finger.print.def
Fingerprint Defender
100,000
500,000
com.lifeel.scanandtest
Lifeel – scan and test
100,000
500,000
com.la.so.uncher.io
Launcher iOS 15
100,000
500,000
com.gunt.ycoon.dle
Idle Gun Tycoou202anu202c
50,000
100,000
com.scan.asdn
Scanner App Scan Docs & Notes
50,000
100,000
com.chat.trans.alm
Chat Translator All Messengers
50,000
100,000
com.hunt.contact.ro
Hunt Contact
50,000
100,000
com.lco.nylco
Icony
50,000
100,000
horoscope.fortune.com
Horoscope : Fortune
50,000
100,000
fit.ness.point
Fitness Point
50,000
100,000
com.qub.la
Qibla AR Pro
50,000
100,000
com.heartrateandmealtracker
Heart Rate and Meal Tracker
50,000
100,000
com.mneasytrn.slator
Mine Easy Translator
50,000
100,000
com.phone.control.blockspamx
PhoneControl Block Spam Calls
50,000
100,000
com.paral.lax.paper.thre
Parallax paper 3D
50,000
100,000
com.photo.translator.spt
SnapLens – Photo Translator
50,000
100,000
com.qibl.apas.dir
Qibla Pass Direction
50,000
100,000
com.caollerrrex
Caller-x
50,000
100,000
com.cl.ap
Clap
50,000
100,000
com.eff.phot.opro
Photo Effect Pro
10,000
50,000
com.icon.nec.ted.trac.ker
iConnected Tracker
10,000
50,000
com.smal.lcallrecorder
Smart Call Recorder
10,000
50,000
com.hor.oscope.pal
Daily Horoscope & Life Palmestry
10,000
50,000
com.qiblacompasslocatoriqez
Qibla Compass (Kaaba Locator)
10,000
50,000
com.proo.kie.phot.edtr
Prookie-Cartoon Photo Editor
10,000
50,000
com.qibla.ultimate.qu
Qibla Ultimate
10,000
50,000
com.truck.roud.offroad.z
Truck – RoudDrive Offroad
10,000
50,000
com.gpsphonuetrackerfamilylocator
GPS Phone Tracker – Family Locator
10,000
50,000
com.call.recorder.cri
Call Recorder iCall
10,000
50,000
com.pikcho.editor
PikCho Editor app
10,000
50,000
com.streetprocarsracingss
Street Cars: pro Racing
10,000
50,000
com.cinema.hall
Cinema Hall: Free HD Movies
10,000
50,000
com.ivlewepapallr.bkragonucd
Live Wallpaper & Background
10,000
50,000
com.in1.tel.ligent.trans.lt.pro
Intelligent Translator Pro
10,000
50,000
com.aceana.lyzzer
Face Analyzer
10,000
50,000
com.tueclert.ruercder
*TrueCaller & TrueRecoder
10,000
50,000
*This fake app is not to be confused by the legitimate Truecaller, by True Software Scandinavia AB
Zimperium provides the only mobile security platform purpose-built for enterprise environments. With machine learning-based protection and a single platform that secures everything from applications to endpoints, Zimperium is the only solution to provide on-device mobile threat defense to protect growing and evolving mobile environments. For more information or to schedule a demo, contact us today.
