Millions of android users robbed by Trojans. A Case of Greeks Bearing Gifts.
An android Trojan that goes by the name of GriftHorse has stolen hundreds of millions of US dollars from mobile users globally. This was revealed by the research wing of a respectable organization that also provides security software for mobile sets.
The Trojan was planted by a group of hackers active since the latter part of 2020. The perpetrators initiated their malicious campaign by dissipating the malware through Google Play and other third party app stores. The researchers promptly provided forensic evidence of the activity to Google who removed the malware after necessary verifications. In spite of the quick response by Google, the app is available and downloadable from other unsecured third party sources. This scenario highlights the importance of advanced security protocols on android devices.
Just what is the malware and how does it manage to fleece so many of hundreds of millions? The question seems simple but the answer to it needs thorough investigation.
The researchers assigned to get to the root of the problem discovered that GriftHorse is actually an aggressive mobile campaign that pretends to provide premium services to mobile users. Unlike other scams that use phishing as the mode of attack, this global malware hides behind android apps and acts as a Trojan to take advantage of user interactions and build up on the user activity.
At first the app appears benign and pretty normal sitting on the store until android users download the app and subscribe to its purported premium services, valued at 30 euros or thereabout. The confidence shatters when users are charged continuously, month after month, without their knowledge. By the time they discover how they have been ripped off, the damage may have reached to 200 euros or more.
On an individual scale, this amount may appear to be meager, but once the global scale is brought into view and the number of victims is taken into account, the added figure runs into several hundred million euros.
Several factors are responsible for the success of the campaign which was launched in November 2020.
It targeted mobile users of more than 70 countries. Different languages and content were used to suit the conditions of the country being targeted.
The threat actors have adopted cross-platform development frameworks to remain undetected, making it difficult for CS personnel to detect threats and protect the mobile users.
The designers used sophisticated architecture to avoid detection.
No reuse policy was adhered to avoid block-listing of strings.
The hackers used novel techniques, never before witnessed in a Trojan, to make sure that they went around stealing and getting richer without being detected.
A large number of applications were used to distribute the malware across several continents. The mode of distribution was well planned allowing the Trojan to spread across multiple categories and affecting tens of millions of mobile android users.
These and several other reasons have made the GriftHorse the most widespread threat for mobile users. What’s more, it works under the guise of normal apps that appear routinely on Play Store.
In essence, the malware is a grift disguised as a gift. A ruse learnt from history.
