Zimperium zLabs: GriftHorse stole money from over 10 million victims globally. The malware, a trojan, has been used in an aggressive mobile premium services campaign against Android users in 70 countries

GriftHorse has been used to steal money from over 10 million victims globally. It has been denounced by Zimperium zLabs cybersecurity experts, who recently discovered an aggressive mobile premium services campaign against Android users. The cybercrime group behind the trojan has been running this campaign since November 2020. These malicious applications are distributed through both Google Play and third-party application stores. The campaign has targeted millions of users from over 70 countries by serving selective malicious pages to users based on the geo-location of their IP address with the local language. This, to trick the users, considering thet might feel more comfortable sharing information to a website in their local language.

The cybersecurity experts: How the cybercrime campaign works

Upon the GriftHorse infection, the victims are bombed with alerts on the screen letting them know they had won a prize and needed to claim it immediately. These pop ups reappear no less than five times per hour until the application user successfully accepts the offer. Upon accepting the invitation for the prize, the malware redirects the victims to a geo-specific webpage where they are asked to submit their phone numbers for verification. But in reality, they are submitting their phone number to a premium SMS service that would start charging their phone bill over €30 per month. The victim does not immediately notice the impact of the theft, and the likelihood of it continuing for months before detection is high, with little to no recourse to get one’s money back.