In context: Google has been trying to keep malicious apps out of the Play Store for years with limited success. The company is constantly working to remove these apps, and the latest round of takedowns includes 200 apps across multiple categories that have been used to spread GriftHorse malware to over 10 million victims.
Apple's been getting lazy in the iOS security department as of late, despite pouring fuel into the fiery iOS vs. Android debate by claiming the latter mobile OS has 47 times more malware due to being open to sideloading apps. That said, it's hard to argue against the fact that Android is more attractive for malware developers, who are prodding it every chance they get.
Heatmap of the over 10 million victims
According to researchers at Zimperium zLabs (via TheRecord), a new Android trojan called GriftHorse has been embedded into no less than 200 malicious apps which were approved into the Google Play store as well as some third-party app stores. To date, the malware operators have managed to infect more than 10 million Android devices from over 70 countries and stole tens of millions of dollars from their victims.
The researchers explained in their report that the GriftHorse campaign has been active since at least November 2020 and through April 2021. When a user installs any of the malicious apps, GriftHorse will generate a large number of notifications and popups that lure people with special discounts or various prizes. People who tap on these get redirected to a web page where they're asked to confirm their phone number in order to access the promotion.
In reality, the victims of GriftHorse are subscribing to premium SMS services that charge over $35 per month. It's estimated that GriftHorse operators have been making anywhere from $1.5 million to $4 million per month using this scheme, and that their first victims have likely lost more than $230 if they didn't stop the scam.
Zimperium researchers Aazim Yaswant and Nipun Gupta note that this was a sophisticated malware campaign where operators used quality code and a wide spectrum of websites and malicious apps that cover almost every possible category. Zimperium notified Google about the offending apps; while the company did remove them from the Play Store, they can still be downloaded from third-party app stores.
This isn't the first time this type of attack has been leveled at Android users. Back in 2018, mobile security and data management firm Wandera found a similar piece of malware that could send SMS messages to premium services, among other things. And judging by the sophistication present in the GriftHorse campaign, they've likely been doing this for a long time.