Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Android Operating Systems Security

New GriftHorse Malware Infects More Than 10 Million Android Phones (therecord.media) 30

Security researchers have found a massive malware operation that has infected more than 10 million Android smartphones across more than 70 countries since at least November 2020 and is making millions of dollars for its operators on a monthly basis. The Record reports: Discovered by mobile security firm Zimperium, the new GriftHorse malware has been distributed via benign-looking apps uploaded on the official Google Play Store and on third-party Android app stores. If users install any of these malicious apps, GriftHorse starts peppering users with popups and notifications that offer various prizes and special offers. Users who tap on these notifications are redirected to an online page where they are asked to confirm their phone number in order to access the offer. But, in reality, users are subscribing themselves to premium SMS services that charge over $35 per month, money that are later redirected into the GriftHorse operators' pockets.

Zimperium researchers Aazim Yaswant & Nipun Gupta, who have been tracking the GriftHorse malware for months, described it as "one of the most widespread campaigns the zLabs threat research team has witnessed in 2021." Based on what they've seen until now, the researchers estimated that the GriftHorse gang is currently making between $1.5 million to $4 million per month from their scheme.

This discussion has been archived. No new comments can be posted.

New GriftHorse Malware Infects More Than 10 Million Android Phones

Comments Filter:
  • Huh (Score:1, Troll)

    by Ol Olsoc ( 1175323 )
    It's okay. We're taking fits about the Apple lightning connector, but here we are. Right from the playstore, and the delicious openness of third party sites.

    I guess it's only 10 million, so no big deal.

    • It's okay. We're taking fits about the Apple lightning connector, but here we are. Right from the playstore, and the delicious openness of third party sites.

      I guess it's only 10 million, so no big deal.

      Exactly!

  • Does anyone here actually use any premium SMS services ?

    I recall ringtones but that was from the feature-phone days. I have no idea what services are on offer now.

  • Users who tap on these notifications are redirected to an online page where they are asked to confirm their phone number in order to access the offer. But, in reality, users are subscribing themselves to premium SMS services that charge over $35 per month, money that are later redirected into the GriftHorse operators' pockets.

    I don't know much about Android, but wasn't the big kerfuffle over permissions a few years ago supposed to mitigate this? It's not even an exploit!

    • I don't know much about Android, but wasn't the big kerfuffle over permissions a few years ago supposed to mitigate this? It's not even an exploit!

      Permission is what you ask for before doing something; forgiveness after you've consummated the sin.

      Permit, nah forgive, me in advance for the sorry pun, but you generally don't require permission to look a grift horse in the mouth.

    • Also, how are they getting billed for this? If cell phone networks are assisting with the billing, the incentives are on their end not to do anything about it.

      If you ask me, the cell phone networks should be the ones who get named and shamed, not Android. Opening a webview is not that difficult. Even an iPhone can do it. And anyone can be tricked into entering an SMS verification code into a web form.

      • Well, Visa and MasterCard blackballed donations to Wikileaks and others, so Google is big enough to tell them which payments get the royal treatment, where no money flows. If the payments were fraudulent, the US has a track record or extraditing no-gooders IF they make too much of a nuisance.
  • Like unvaccinated, hospitalized, covid patients; I see a trend developing amongst the noise.

  • by Aighearach ( 97333 ) on Wednesday September 29, 2021 @08:23PM (#61846631)

    They mention finding it on the Google Play Store, and they wave their hands at "3rd party stores," but they don't seem to actually be claiming to have found it on any 3rd party stores? Do they just mean that they found it in the Google Play Store, and that Android has 3rd party stores? Did they only find it on a 3rd party store so shady they didn't want to list it?

    • They mention finding it on the Google Play Store, and they wave their hands at "3rd party stores," but they don't seem to actually be claiming to have found it on any 3rd party stores? Do they just mean that they found it in the Google Play Store, and that Android has 3rd party stores? Did they only find it on a 3rd party store so shady they didn't want to list it?

      They found it on Google Play. Anywhere else is irrelevant.

      Pretty blatant phishing attempt for them to miss.

    • by tlhIngan ( 30335 )

      They mention finding it on the Google Play Store, and they wave their hands at "3rd party stores," but they don't seem to actually be claiming to have found it on any 3rd party stores? Do they just mean that they found it in the Google Play Store, and that Android has 3rd party stores? Did they only find it on a 3rd party store so shady they didn't want to list it?

      Well, if it's on Google Play, it will be on 3rd party app stores as well. Maybe not honest and trustworthy ones like Amazon, F-Droid or such, but

    • by AmiMoJo ( 196126 )

      This is actually quite important because any phone with Google Play Services (99% of them) will have already uninstalled this malware after Google blacklisted it. But devices without any Google services, like those running a Google-free ASOP build or Amazon Fire devices, won't have got the benefit of that and the owners need to check themselves.

  • by takionya ( 7833802 ) on Wednesday September 29, 2021 @08:42PM (#61846665)
    "New GriftHorse Malware Infects More Than 10 Million Android Phones"

    The malware doesn't infect Android. The end user has to download and install a compromised app from an app-store.
    • "New GriftHorse Malware Infects More Than 10 Million Android Phones"

      The malware doesn't infect Android. The end user has to download and install a compromised app from an app-store.

      Insightful?!? C'mon, Mods!

      It infects Android phones.

      Tell me how there is a difference to an Android phone User?

      • "New GriftHorse Malware Infects More Than 10 Million Android Phones"

        The malware doesn't infect Android. The end user has to download and install a compromised app from an app-store.

        Insightful?!? C'mon, Mods!

        It infects Android phones.

        Tell me how there is a difference to an Android phone User?

        The same difference a person considers with biological pathogen infection paths: if they have a better understanding of what causes the infection, they can be better prepared to defend against it.

        So for an Android phone user, if they know it's caused by the user downloading something themselves, they (can) know to be on the lookout for suspicious apps (which opens up a whole other can of worms). If, on the other hand, they don't know anything about it, then they have no idea what to look for.

  • by khchung ( 462899 ) on Thursday September 30, 2021 @12:58AM (#61847011) Journal

    Users who tap on these notifications are redirected to an online page where they are asked to confirm their phone number in order to access the offer. But, in reality, users are subscribing themselves to premium SMS services that charge over $35 per month

    The real scammer are the telcos that charged you just because some website got your phone number. No matter what webpage the scammer used, telco should not be allowed to add charges to bill without authenticating that the actual customer is subscribing knowingly through the proper channels.

    How the heck do FCC allows phone companies to perpetuate this scam?

    • by Munchr ( 786041 )

      Even better, after more than 30 years of various scams cramming people into premium billing services, how is it that NONE of the carriers offer an option to their customer to block premium billing services?

    • Always the bottom line. Why do they allow leasing of lines/numbers so that fake call centres can scam at will using inland numbers? Why do they not allow people to block natively at the service and instead you have to have some device to filter non-compliant caller ID? Yes, you're just the carrier, but at least have some mechanism to validate legitimate companies or fast track violating terms. Hell, you could just do basic checks like has the company been registered for at least 1-2 years, does it tie to a
  • The phone services providers profit too which is likely why they don't separately ask you to confirm* with a note of the premium price and they don't easily allow you to look at all of your subscriptions* and they don't easily allow you to contest them*.

    *Assuming since I've never signed up to a premium sms anything.

    In the past I've gotten unsolicited SMSs from a company I am dealing with and they required me to SMS a premium number to cancel them, I didn't, I went to lengths to find other avenues to contact

  • why is it so hard to catch them? just ask telcos to which banking accounts the money goes
  • Tip for journalists: Never mention the apps which were compromised in an article about malicious android apps. Readers hate that!

    I knew a journalist who mentioned relevant details in a story once, and he was fired within a week. Within a month, his house had been teepeed; within six months, his girlfriend had left him, and within a year he'd had to move out of state.

    Remember, journalists, TMI is a bad thing. Really, we'd rather be scared than able to do anything about it.

  • TFA doesn't list them, but it includes a link to the researchers' blog [zimperium.com] where they go into detail about the nature of the malware and conclude (way at the bottom) with a list of (known) malware apps to avoid.

"There is no statute of limitations on stupidity." -- Randomly produced by a computer program called Markov3.

Working...