More than 10 million Android devices are infected by an Android malware distributed through Google Play and third-party app stores.
Mobile security firm Zimperium says the campaign targets devices users in 70 countries through harmless-looking scam apps that subscribe the victims to premium SMS services.
The trojan named GriftHorse is present in about 200 malicious Android applications, most of which have been removed from the Google Play store.
GriftHorse Android malware appears harmless and is undetectable
Zimperium says that the Android applications appear harmless at first based on their store description and requested permissions, giving users a false sense of confidence. Threat actors also spread the Android scam apps across various categories to cast a wider net.
Additionally, they avoid hardcoding their command-and-control server URLs and reuse domains to avoid blocklisting of strings. They also serve payloads depending on the users’ IP address origin.
“This method allowed the attackers to target different countries in different ways,” the researchers wrote. “This check on the server-side evades dynamic analysis checking for network communication and behaviors.”
The operation of the Android malware makes it undetectable by Google Play store code analysis or mobile antiviruses. These evasion tactics have allowed the Android malware campaign to remain operational since November 2020.
Paul Bischoff, privacy advocate at Comparitech, said the most concerning issue was that Google allowed 200 Android malware scam apps on its platform. According to Bischoff, users were at more risk by implicitly trusting Google Play, which comes preinstalled on most devices.
“Play Protect, the antivirus scanner used to check Android apps for malicious behavior, fails to flag a lot of malware on Google Play,” Bischoff noted. “According to AV-Test, Play Protect detected only 52.3% of malware attacks in real-time and 55.1% of malware samples.
“The average for these two categories among all AV programs tested was 96.9% and 97.3%, respectively. That is not an effective antivirus. Humans probably aren’t reviewing apps before they’re published, either.”
The researchers also discovered that the threat actors developed the Android malware using the Apache Cordova mobile application development framework.
Infected Android apps include iCare – Find Location, My Chat Translator, Handy Translator Pro, Geospot: GPS Location Tracker, Heart Rate and Pulse Tracker, and others. The researchers published the full list of scam apps with their complete indicators of compromise.
Android scam apps steal hundreds of millions from victims
According to Zimperium, the scam apps trick users into clicking on malicious links to steal money from their accounts.
They serve users with pages based on their geolocation, IP address, and language to win their trust.
Once installed, the scam apps aggressively send various pop-ups and notifications promising various gifts and offers. Victims can receive up to five notifications every hour, increasing their likelihood of taking action.
On clicking, the malicious apps redirect users to online sites that request them to submit their phone numbers for verification to claim the prize. However, the threat actors secretly subscribe the victims to premium SMS services that start charging their phone bill without their knowledge.
Most victims do not detect the effects of the theft immediately, making it more likely for the scams to run for months. However, suspicion grows when users get charged month over month for services they never authorized, incurring expenses of up to about $42 or €36 every month.
Zimperium security researchers found that the Android malware scam apps have stolen hundreds of millions of dollars in one of the “most widespread” campaigns.
“It’s unfortunate that it’s gotten to the point that you can’t fully trust apps in official first-party stores any longer,” Chris Clements, VP of Solutions Architecture at Cerberus Sentinel, said. “These store vendors really must do a better job of policing the behavior of the applications they distribute.
“In some cases, ignorant users may be to blame, such as when they may attempt to download pirated copies of apps from third-party stores, but most users aren’t, nor should they be able to, spot malicious apps or app activity stemming from an official source.”