Zimperium alerted Android users of the notorious Grifthorse Trojan that fraudulently made millions of users into paying for premium services. The services are not inherently malicious, but the subscription process is fraudulent.

The Grifthorse Trojan invaded the PlayStore by plugging some 200 legitimate-looking apps into the Google Play store. For several months, the Trojan targeted 10 million users from 70 countries. It originated in November 2020 but continued to infect devices for one year.

A Clever Social Engineering Scheme

The Grifthorse malware poses as innocent-looking apps such as puzzles, games, camera-related apps, and keyboard skins to push notifications and make fraudulent purchases. While the Play Store properly reviews all apps to ensure they are legitimate, some trojans make their way to the store by submitting a malware-free version of the app and then injecting the malware later. This will be explained later on.

At the heart of the Grifthorse malware is a manipulative social engineering scheme. After installing the apps, users are greeted with too-good-to-be-true notifications, promising special prizes and others.

All users have to do is type in their phone number to become eligible for the prize. This unknowingly signs them up for an SMS service that is charged at a rate of €35 per month. In doing so, the Grifthorse gang siphoned off millions of Euros from unknown users.

What makes the Grifthorse Trojan effective is that it managed to release over 200 malicious apps in the Play Store. The apps targeted a broad range of categories to maximize their pool of victims, including entertainment, personalization, lifestyle, and simulation.

The campaign doesn’t utilize any clever, ground-breaking code to maneuver around Android security systems. Instead, it attracts the user’s attention with push notifications and lures them into using the app.

The amount is small enough that most victims aren’t too worried. However, scaling up the attack across 70 countries allowed the Grifthorse gang to make millions. What’s particularly worrying is that the apps subscribe users to automatic billing, and many users cannot cancel their subscriptions through the app.

Google has since responded by removing the malware apps from the Play Store. However, it is not clear if Google managed to clean all the Trojanized apps. Some apps may still be up on third-party app stores where they can continue their ‘grift.’

Should You be Worried about the Grifthorse Trojan?

Most social engineering attacks are leveled at users who may not be very tech-savvy. Grifthorse Trojan uses non-technical strategies to trick users into breaking standard security practices.

In other words, if your Android systems are secure enough and the user base is aware of cybersecurity best practices, you have nothing to worry about the Grifthorse Trojan.

Don’t enter your number into push notifications for apps that don’t need them to run.

To ensure you and your employees are safe from the Trojan, we recommend a quick assessment here.

How to Safeguard from Grifthorse Trojan

The safety precautions against the Grifthorse Trojan are surprisingly easy to follow. All you or your organization has to do is follow simple steps to create awareness about the most common types of social engineering schemes, including phishing and tailgating.

While certain solutions mitigate social engineering schemes (such as data monitoring tools, firewalls, and anti-malware apps), having an informed base that recognizes and avoids social engineering tactics is the best defense against malware like the Grifthorse Trojan.

How Did GriftHorse Evade Detection for So Long?

The criminal minds behind Grifthorse used several clever methods to evade detection for as long as possible.

They kept the subscription amount to under $40. This made it unlikely for most users to notice the extra charge on their phone bill until several months later. And once they do figure out that they were being charged all this time, there is no way of raising refund requests.

Grifthorse further avoided detection by not using hard-coding URLs in their apps. The apps were created using the Apache Cordova framework to appear as legitimate as possible. This allows the app to use HTML, JavaScript, and CSS.

Consequently, developers could roll out updates without requiring the user to update manually. This is how Grifthorse managed to get past Google Play’s rigorous safety nets.

Grifthorse also rolled out wave after wave of malicious apps to maximize their chances of avoiding detection. Over 200 Trojan apps were distributed across multiple categories to increase their range of potential victims.

The threat actors behind Grifthorse have remained anonymous. Efforts to uncover their identities have so far led to dead ends. In other words, there is no way for victims to get their money back.

It is worth mentioning that the stolen amounts from individuals are small enough that it doesn’t incentivize a more large-scale manhunt. By comparison, malware like the WannaCry and Zeus siphoned off billions of dollars from unwitting users.

Are Threats like the Grifthorse Trojan Likely to Continue?

No matter how you look at it, the cybercriminals behind Grifthorse got away with millions of Euros. All they had to do was cleverly disguised malware as legitimate-looking apps to lure their victims.

The ease of the attack and prospects of a hefty payday indicate that threats like the Grifthorse Trojan will continue to propagate.

Meanwhile, our cybersecurity teams will continue to monitor these threats and protect users by analyzing malware and working with app stores to remove them. We recommend installing mobile security to detect these threats and protect you from them via regular updates.

And as always, exercise caution when using apps that require SMS-related permissions with caution. A legitimate photo editing app won’t ask for SMS permissions because they’re not necessary for them to run. If a request seems suspicious to you, do not allow it.

How to Keep Malwares like the Grifthorse Trojan Away from Your Phone

You can avoid malware like the GiftHorse Trojan by keeping your phone and apps updated. This cannot be stressed enough. Outdated software can be more harmful than you think. This is why you should not skip update notifications when they appear.

We also recommend installing a good antivirus app that provides real-time protection with automatic scans.

And the best way to steer clear of malware is to be aware of the social engineering tricks that threat actors use. You should never let your guard down when installing apps from the Play Store. Exercise extreme caution when installing apps from unknown businesses.

You can also read user reviews, and learn about the developer, the terms of use, and payment methods. Always choose a well-known app that has received positive reviews. You should avoid giving too many permissions to apps, even if they appear trustworthy.

Apps should only be granted notifications if they require them to perform their intended purpose. Apps that edit photos and provide wallpapers do not require access to your notifications.

Finally, telecom carriers have a modicum of responsibility to confirm with their users that they, and not a trojan, initiated requests for service subscriptions.

Wrapping Up

Most android phones are safe to use, and the only way to circumvent security systems is by deploying social engineering non-technical malware. Trojans like Grifthorse are convenient payloads that allow threat actors to siphon off money from many users.

Are you worried about the Grifthorse Trojan and similar malware? Click here for a quick risk assessment to learn what steps you and your organization can take to stay safe.