This dangerous mobile Trojan has stolen a fortune from over 10 million victims

Discussion in 'Headline News' started by RickAgresta, Oct 1, 2021.

  1. RickAgresta

    RickAgresta General Peanut, leader of the Peanutty Forces

    Messages:
    22,384
    Likes Received:
    21,050
    Trophy Points:
    288
    Researchers say the infections are generating millions of dollars a month in recurring revenue

    An Android Trojan has now achieved a victim count of over 10 million in at least 70 countries.

    According to Zimperium zLabs, the new malware has been embedded in at least 200 malicious applications, many of which have managed to circumvent the protections offered by the Google Play Store, the official repository for Android apps.

    The researchers say that the operators behind the Trojan have managed to infect so many devices that a stable cash flow of illicit funds, "generating millions in recurring revenue each month," has been established.

    Believed to have been in operation since November 2020, the "GriftHorse" campaign relies on victims being duped into handing over their phone number, which is then used to subscribe them to premium SMS messaging services.

    Victims first download Android apps that appear innocent and legitimate. These apps vary from puzzle games and utilities to dating software, food and drink, with the most popular malicious app -- a translator -- accounting for at least 500,000 downloads.

    Upon installation, however, the GriftHorse Trojan, written in Apache Cordova, constantly bombards the user with messages, alerting them to a fake prize they have won and then redirecting them to a website page based on their geolocation, and, therefore, their language.

    Mobile users are then asked to submit their phone numbers for verification purposes. If they submit this information, they are then subscribed to premium services "without their knowledge and consent," zLabs noted.

    Some of the charges are upward of €30 ($35) per month, and if a victim does not notice this suspicious transaction, then they could, theoretically, be charged for months on end with little hope of ever clawing back their cash.

    In order to avoid discovery, the malware's operators use changeable URLs rather than hardcoded addresses.

    "This method allowed the attackers to target different countries in different ways," the team says. "This check on the server-side evades dynamic analysis checking for network communication and behaviors."

    zLabs reported its findings to Google who promptly removed the Android apps marked as malicious from Google Play. However, these apps are still available on third-party platforms.

    LINK: https://www.zdnet.com/article/this-...SAGE_ID}&cid={$contact_id}&eh={$CF_emailHash}
     
    scjjtt and jigwashere like this.
  2. headcronie

    headcronie Greyscale. Nuff Said. Super Moderator

    Messages:
    14,629
    Likes Received:
    6,906
    Trophy Points:
    113
    Ban & block subscriptions via SMS. Literally the least secure method ever for account verification and subscriptions. But carriers will never do it.
     
    scjjtt, jigwashere and RickAgresta like this.
  3. jigwashere

    jigwashere Mobile Deity

    Messages:
    18,089
    Likes Received:
    15,451
    Trophy Points:
    288
    What does the FCC do again? Anything?
     
    scjjtt likes this.
  4. RickAgresta

    RickAgresta General Peanut, leader of the Peanutty Forces

    Messages:
    22,384
    Likes Received:
    21,050
    Trophy Points:
    288
    scjjtt and jigwashere like this.
Loading...
Similar Threads - dangerous mobile Trojan
  1. scjjtt
    Replies:
    4
    Views:
    681

Share This Page