New GriftHorse Malware Infects More Than 10 Million Android Phones (therecord.media) 30
Security researchers have found a massive malware operation that has infected more than 10 million Android smartphones across more than 70 countries since at least November 2020 and is making millions of dollars for its operators on a monthly basis. The Record reports: Discovered by mobile security firm Zimperium, the new GriftHorse malware has been distributed via benign-looking apps uploaded on the official Google Play Store and on third-party Android app stores. If users install any of these malicious apps, GriftHorse starts peppering users with popups and notifications that offer various prizes and special offers. Users who tap on these notifications are redirected to an online page where they are asked to confirm their phone number in order to access the offer. But, in reality, users are subscribing themselves to premium SMS services that charge over $35 per month, money that are later redirected into the GriftHorse operators' pockets.
Zimperium researchers Aazim Yaswant & Nipun Gupta, who have been tracking the GriftHorse malware for months, described it as "one of the most widespread campaigns the zLabs threat research team has witnessed in 2021." Based on what they've seen until now, the researchers estimated that the GriftHorse gang is currently making between $1.5 million to $4 million per month from their scheme.
Zimperium researchers Aazim Yaswant & Nipun Gupta, who have been tracking the GriftHorse malware for months, described it as "one of the most widespread campaigns the zLabs threat research team has witnessed in 2021." Based on what they've seen until now, the researchers estimated that the GriftHorse gang is currently making between $1.5 million to $4 million per month from their scheme.
Huh (Score:1, Troll)
I guess it's only 10 million, so no big deal.
Re: (Score:2)
It's okay. We're taking fits about the Apple lightning connector, but here we are. Right from the playstore, and the delicious openness of third party sites.
I guess it's only 10 million, so no big deal.
Exactly!
premium SMS services? (Score:2)
Does anyone here actually use any premium SMS services ?
I recall ringtones but that was from the feature-phone days. I have no idea what services are on offer now.
Re: (Score:2)
Have your porn texted to you.
Re:premium SMS services? (Score:4, Informative)
No one does. But the phone operators get a cut from those sales, so they have no incentive in shutting down that useless, exploitable service. They are in bed with the malware folks.
Re: premium SMS services? (Score:2)
Carriers in the US no longer bill customers for third party services like premium SMS ever since the FCC cracked down on cramming. This malware is only relevant in less civilized countries.
Re: (Score:2)
Does anyone here actually use any premium SMS services ?
I recall ringtones but that was from the feature-phone days. I have no idea what services are on offer now.
Check out this on Reddit. [reddit.com]
Mmm hmm (Score:2)
Users who tap on these notifications are redirected to an online page where they are asked to confirm their phone number in order to access the offer. But, in reality, users are subscribing themselves to premium SMS services that charge over $35 per month, money that are later redirected into the GriftHorse operators' pockets.
I don't know much about Android, but wasn't the big kerfuffle over permissions a few years ago supposed to mitigate this? It's not even an exploit!
A grift horse in the mouth (Score:3)
I don't know much about Android, but wasn't the big kerfuffle over permissions a few years ago supposed to mitigate this? It's not even an exploit!
Permission is what you ask for before doing something; forgiveness after you've consummated the sin.
Permit, nah forgive, me in advance for the sorry pun, but you generally don't require permission to look a grift horse in the mouth.
Re: A grift horse in the mouth (Score:1)
Re: (Score:3)
Also, how are they getting billed for this? If cell phone networks are assisting with the billing, the incentives are on their end not to do anything about it.
If you ask me, the cell phone networks should be the ones who get named and shamed, not Android. Opening a webview is not that difficult. Even an iPhone can do it. And anyone can be tricked into entering an SMS verification code into a web form.
Re: (Score:2)
"Users who tap on these notifications" (Score:1, Offtopic)
Like unvaccinated, hospitalized, covid patients; I see a trend developing amongst the noise.
Unsubstantiated Claim (Score:3)
They mention finding it on the Google Play Store, and they wave their hands at "3rd party stores," but they don't seem to actually be claiming to have found it on any 3rd party stores? Do they just mean that they found it in the Google Play Store, and that Android has 3rd party stores? Did they only find it on a 3rd party store so shady they didn't want to list it?
Re: (Score:2)
They mention finding it on the Google Play Store, and they wave their hands at "3rd party stores," but they don't seem to actually be claiming to have found it on any 3rd party stores? Do they just mean that they found it in the Google Play Store, and that Android has 3rd party stores? Did they only find it on a 3rd party store so shady they didn't want to list it?
They found it on Google Play. Anywhere else is irrelevant.
Pretty blatant phishing attempt for them to miss.
Re: (Score:2)
Well, if it's on Google Play, it will be on 3rd party app stores as well. Maybe not honest and trustworthy ones like Amazon, F-Droid or such, but
Re: (Score:2)
This is actually quite important because any phone with Google Play Services (99% of them) will have already uninstalled this malware after Google blacklisted it. But devices without any Google services, like those running a Google-free ASOP build or Amazon Fire devices, won't have got the benefit of that and the owners need to check themselves.
Why does slashdot keep posting this horseshit? (Score:4, Insightful)
The malware doesn't infect Android. The end user has to download and install a compromised app from an app-store.
Re: (Score:2)
"New GriftHorse Malware Infects More Than 10 Million Android Phones"
The malware doesn't infect Android. The end user has to download and install a compromised app from an app-store.
Insightful?!? C'mon, Mods!
It infects Android phones.
Tell me how there is a difference to an Android phone User?
Re: (Score:2)
> Tell me how there is a difference to an Android phone User?
"Infects Android phones" implies "... without human intervention". A user of an Android phone who does not install any apps is immune to this variety of malware. That is how there is a difference to the Android phone user.
Ok. I'll buy that.
Re: (Score:2)
"New GriftHorse Malware Infects More Than 10 Million Android Phones"
The malware doesn't infect Android. The end user has to download and install a compromised app from an app-store.
Insightful?!? C'mon, Mods!
It infects Android phones.
Tell me how there is a difference to an Android phone User?
The same difference a person considers with biological pathogen infection paths: if they have a better understanding of what causes the infection, they can be better prepared to defend against it.
So for an Android phone user, if they know it's caused by the user downloading something themselves, they (can) know to be on the lookout for suspicious apps (which opens up a whole other can of worms). If, on the other hand, they don't know anything about it, then they have no idea what to look for.
The real scammers are the telcos (Score:5, Insightful)
Users who tap on these notifications are redirected to an online page where they are asked to confirm their phone number in order to access the offer. But, in reality, users are subscribing themselves to premium SMS services that charge over $35 per month
The real scammer are the telcos that charged you just because some website got your phone number. No matter what webpage the scammer used, telco should not be allowed to add charges to bill without authenticating that the actual customer is subscribing knowingly through the proper channels.
How the heck do FCC allows phone companies to perpetuate this scam?
Re: (Score:3)
Even better, after more than 30 years of various scams cramming people into premium billing services, how is it that NONE of the carriers offer an option to their customer to block premium billing services?
Re: (Score:1)
Blame the carriers (Score:2)
The phone services providers profit too which is likely why they don't separately ask you to confirm* with a note of the premium price and they don't easily allow you to look at all of your subscriptions* and they don't easily allow you to contest them*.
*Assuming since I've never signed up to a premium sms anything.
In the past I've gotten unsolicited SMSs from a company I am dealing with and they required me to SMS a premium number to cancel them, I didn't, I went to lengths to find other avenues to contact
catch them (Score:2)
Don't tell us which apps (Score:2)
Tip for journalists: Never mention the apps which were compromised in an article about malicious android apps. Readers hate that!
I knew a journalist who mentioned relevant details in a story once, and he was fired within a week. Within a month, his house had been teepeed; within six months, his girlfriend had left him, and within a year he'd had to move out of state.
Remember, journalists, TMI is a bad thing. Really, we'd rather be scared than able to do anything about it.
List of affected apps (Score:2)