You may be advised not to look a gift horse in the mouth, lest you appear ungrateful for questioning its health. But you probably want to examine your Android phone for GriftHorse, or rather for any of the 200 or so apps with different names that incorporate the malicious code.
Mobile security firm Zimperium, which first identified the GriftHorse Android Trojan, says the malware has infected more than 10m Android devices worldwide.
In a blog post on Wednesday, Zimperium researchers Aazim Yaswant and Nipun Gupta said that Trojan code dubbed GriftHorse has been spotted in more than 200 malicious apps in at least 70 different countries and has been afflicting Android phones since November 2020.
Zimperium partners with Google to defend the ad giant’s Play Store and thus has already informed the Chocolate Factory of its findings. Google, we’re told, has already tamed its online souk. So reviewing the lengthy list of affected apps in the Zimperium’s blog post probably isn’t necessary for Android devices tied to Google Play.
But the subversive code may still be present in Android apps distributed through third-party stores, the researchers said, coincidentally echoing a talking point favored by Google and Apple about maintaining their app store control for the sake of security.
GriftHorse apps are designed to subscribe Android users to premium services without their permission, resulting in charges of about €36 per month ($42) until noticed and cancelled by the victim. This particular scam, the researchers speculate, may have netted the GriftHorse creators many millions of euros.
“Upon infection, the victim is bombarded with alerts on the screen letting them know they had won a prize and needed to claim it immediately,” explain Yaswant and Gupta. “These pop ups reappear no less than five times per hour until the application user successfully accepts the offer.”
Once the user accepts, they explain, the malicious code redirects the victim to a webpage tailored for their specific location that then asks for a phone number as verification. That number is actually submitted to a premium SMS service subscription that adds an extra charge to the victim’s monthly mobile bill.
Once installed, a GriftHorse app fetches the encrypted files stored in the
assets/www folder of the APK and decrypts them using
AES/CBC/PKCS5Padding. The resulting
index.html file then gets loaded via the Android WebView class. It’s linked to an
js/index.js file that sets up a Google Advertising ID and makes a POST request with an encrypted payload to the command-and-control (C2C) server.
The server responds with more encrypted data – the second-stage C&C URL, which is used to make a GET request via Cordova’s InAppBrowser to fetch the configuration data for pushing gift notifications.
The researchers note that GriftHorse’s success can in part be attributed to not reusing common strings in the application code, which avoids pattern-based detection and blocking.
The Register asked Google whether it anticipates the need to look into limiting the update mechanisms used in Android apps built with Apache Cordova, but we’ve not heard back. ®