Millions of Android devices from over 70 countries were infected by a malware campaign and hundreds of millions were stolen from its victims by tricking them into subscribing to paid services without their consent.
The Trojan dubbed GriftHorse that was used in these attacks, was discovered by Zimperium zLabs researchers who first spotted this illicit global premium services campaign.
This campaign was active for around five months, between November 2020 and April 2021, when the malicious apps were last updated.
The malware was delivered using more than 200 trojanized Android applications delivered through Google’s official Play Store and third-party app stores.
Google has removed the apps after being notified of their malicious nature, but they are still available for download on third-party repositories.
The researchers estimate that the cybercriminals could steal millions in recurring payments every month from victims around the world.
The threat actors used the GriftHorse malware to infect their victims and subscribed them to premium services, earning them hundreds of millions.
The 200 trojanized applications were undetected by numerous anti-malware vendors and managed to evade detection for months while the GriftHorse campaign was active.
The GriftHorse developers made sure that the trojanized applications were spread across multiple categories to hit as many victims as possible.
Once installed on a victim’s phone, these malicious apps gained access to the mobile phone number and used it to present their victims with prize and gift alerts that trick the unsuspecting victims to subscribe to premium SMS services that charged more than €30 per month to their phone bills.
Victims who didn’t notice it immediately paid these charges for months, with few options to get their money back.
The researchers stated that more than 10 million Android users fell victim to this campaign globally, suffering financial losses while the threat group grew wealthier and motivated with time.