New Android trojan malware has infected more than 10 million Android devices

[nanoguy]

In context: Google has been trying to keep malicious apps out of the Play Store for years with limited success. The company is constantly working to remove these apps, and the latest round of takedowns includes 200 apps across multiple categories that have been used to spread GriftHorse malware to over 10 million victims.

Apple's been getting lazy in the iOS security department as of late, despite pouring fuel into the fiery iOS vs. Android debate by claiming the latter mobile OS has 47 times more malware due to being open to sideloading apps. That said, it's hard to argue against the fact that Android is more attractive for malware developers, who are prodding it every chance they get.

Heatmap of the over 10 million victims

According to researchers at Zimperium zLabs (via TheRecord), a new Android trojan called GriftHorse has been embedded into no less than 200 malicious apps which were approved into the Google Play store as well as some third-party app stores. To date, the malware operators have managed to infect more than 10 million Android devices from over 70 countries and stole tens of millions of dollars from their victims.

The researchers explained in their report that the GriftHorse campaign has been active since at least November 2020 and through April 2021. When a user installs any of the malicious apps, GriftHorse will generate a large number of notifications and popups that lure people with special discounts or various prizes. People who tap on these get redirected to a web page where they're asked to confirm their phone number in order to access the promotion.

In reality, the victims of GriftHorse are subscribing to premium SMS services that charge over $35 per month. It's estimated that GriftHorse operators have been making anywhere from $1.5 million to $4 million per month using this scheme, and that their first victims have likely lost more than $230 if they didn't stop the scam.

Zimperium researchers Aazim Yaswant and Nipun Gupta note that this was a sophisticated malware campaign where operators used quality code and a wide spectrum of websites and malicious apps that cover almost every possible category. Zimperium notified Google about the offending apps; while the company did remove them from the Play Store, they can still be downloaded from third-party app stores.

This isn't the first time this type of attack has been leveled at Android users. Back in 2018, mobile security and data management firm Wandera found a similar piece of malware that could send SMS messages to premium services, among other things. And judging by the sophistication present in the GriftHorse campaign, they've likely been doing this for a long time.

Permalink to story.

https://www.techspot.com/news/91491-new-android-trojan-malware-has-infected-more-than.html

 

[VitalyT]

Apple is like - oh yeah, now can I do whatever the f. I want, like raise prices again...

 

[psycros]

Nowadays you have lots of ecosystem options:

1. A company that gives you access to their services in exchange for your digital soul while doing virtually nothing to protect you from bad actors.
2. A company that overcharges you for their hardware while making a moderate effort to guard your privacy and providing a superior user experience and services good enough for most people.
3. Incredibly niche open source platforms with no apps and so-so stability.
4. Chinese government spyware.

I miss the 2000's.

 

[kiwigraeme]

Well a lot of unanswered questions here ? main takeaway is you have to be not that savy - oh yippee I won a prize .
Who runs the SMS service? and who allows it?

When it comes to telcos - why are do they allow spammers, spoofers, unknown call backs to 900 numbers ?in some countries

If this example -where does the money come from - google play?
your own ISP or telco ? or do you have to enter a credit card?

Too many unanswered questions.

Yes occasionally it is very hard to let people really know they have win a prize

 

[Nobina]

Nowadays you have lots of ecosystem options:

1. A company that gives you access to their services in exchange for your digital soul while doing virtually nothing to protect you from bad actors.
2. A company that overcharges you for their hardware while making a moderate effort to guard your privacy and providing a superior user experience and services good enough for most people.
3. Incredibly niche open source platforms with no apps and so-so stability.
4. Chinese government spyware.

I miss the 2000's.

Number 4 FTW.

 

[Nobina]

The difference between American and Chinese spyware is that Americans tend to be more sophisticated and spin it as security while the Chinese straight up don't give a ****. I very much doubt Apple's security and privacy claims.


Android phone with official release of a custom ROM seems to be the best privacy option. It only has as much spyware as you put on it, you can use all the regular apps like you can on stock Android ROM, you can install firewalls and adblockers which additionally protect you from **** you don't want.

 

[Irata]

Remind me why stores get a 30% cut of sales and why customers are forced to use them in the case of Apple. There surely must be a security guarantee with the store provider covering all damages...

 

[Sausagemeat]

I find it laughable that people think Android is just as secure as iOS. Why is this bullshit even ever mentioned! It’s like trying to claim that the Swiss navy is the same size as the US Navy.

 

[PEnnn]

Apple is like - oh yeah, now can I do whatever the f. I want, like raise prices again...

Yes, because Androids are so cheap after all!!

Remind me again how much the Samsungs cost these days??

Ah yes, as expensive BUT totally infested, yay!!!

 

[VaRmeNsI]

Most AV producers have an Android app, just use that...

 

[woofer]

The difference between American and Chinese spyware is that Americans tend to be more sophisticated and spin it as security while the Chinese straight up don't give a ****. I very much doubt Apple's security and privacy claims.


Android phone with official release of a custom ROM seems to be the best privacy option. It only has as much spyware as you put on it, you can use all the regular apps like you can on stock Android ROM, you can install firewalls and adblockers which additionally protect you from **** you don't want.

What about apps that won't run when they detect a rooted setup? That made me give up messing with rooting my phones some years ago.

 

[woofer]

I find it laughable that people think Android is just as secure as iOS. Why is this bullshit even ever mentioned! It’s like trying to claim that the Swiss navy is the same size as the US Navy.

And how "secure" will iOS remain now that Apple has revealed that they can put in a backdoor (to "think of the children") when a government orders them to as Red China already does (for Android as well) to block "undesirable" content with words like "freedom", "democracy", "resist" etc.

Maybe it's time to go back to tin cans connected via string, smoke signals, midnight horseback rides, etc...

 

[Nobina]

What about apps that won't run when they detect a rooted setup? That made me give up messing with rooting my phones some years ago.

I didn't encounter those as they are rare or I just happen to not use them. Can't say what to do in that case but there's probably ways to bypass it, there's always something.

 

[woofer]

I didn't encounter those as they are rare or I just happen to not use them. Can't say what to do in that case but there's probably ways to bypass it, there's always something.

I am trying to switch, instead of fight it, with a Linux based PinePhone, but it's got a ways to go even with basic functionality such as power management, phone calls, text messages, GPS, etc.

The apps are mostly ports of PC-based Linux programs that are oriented toward large screens (that never rotate), keyboards, and mice. I am a long time Linux user, so those are familiar to me in the PC environment, but that does not carry over well to a phone UI, and useful apps originally devloped for Android/iOS phone platforms are mostly proprietary, and thus the developers are not much interested in adapting them to open source phone-linux without large numbers of users that will provide money some way or other (including ad eyeballs), much like the Windows phones of a few years ago I tried for escaping Google and Apple, only to be "embraced/abandoned" by an inept Microsoft that could not stick with it till they got it to work, and gain traction with developers, as they do with PC's. Still, I do miss the elegance of its much more eye friendly UI (to my eyes anyway).

Still, it's kinda fun when I feel like hacking (in the original honorable sense of tinkering with hardware, etc.).

 

[Moh3en]

Hi
unfortunately china usefull of all smartphone for rubbery with AI.their smart phone very dongerous and nobody don't know about this and a lot of people just compair with money

 

[Nobina]

Hi
unfortunately china usefull of all smartphone for rubbery with AI.their smart phone very dongerous and nobody don't know about this and a lot of people just compair with money

Exactly, couldn't have said it better myself

 

[Avro Arrow]

"When a user installs any of the malicious apps, GriftHorse will generate a large number of notifications and popups that lure people with special discounts or various prizes. People who tap on these get redirected to a web page where they're asked to confirm their phone number in order to access the promotion."
I have a hard time blaming Android when people are STILL stupid enough to fall for something as transparently dangerous as this. People have been told OVER AND OVER for more than a decade NOT to tap or click on popups and they're still doing it? How many times do people need to be told NOT to do crap like this before we finally give up?

These griefers keep at it because they keep getting rich from it. They would eventually stop on their own if people could just, you know...

 

[Avro Arrow]

Yes, because Androids are so cheap after all!!

That's because there's actual market competition between the brands. It's a similar situation to the 90s when PCs were incredibly cheap and Apples were uber-expensive. There's no question that PCs are the winners of that.

Remind me again how much the Samsungs cost these days??

Samsung is only ONE brand and people who choose Samsung are making the same dumb mistake that people who choose iPhone do. I've never owned a Samsung phone. I've owned two ZTE and two Motorola phones. My current phone is a Motorola Moto-G Power (2020) and it cost me less than $300CAD to buy it outright.

People who buy these uber-expensive phones are either so rich that they just don't care what they cost or they're not rich and are trying to compensate for some other SHORTcoming(s). I'm not trying to compensate for anything so I buy the phone that best suits my needs. Let's face it, on a screen the size of a phone, you wouldn't be able to tell 1080p from 480p and yet a whole bunch of dumba$$es want phones that have a 2160p display!

If I see a phone with a 2160p display, that's a dealbreaker for me because I'd rather the manufacturer put their efforts into the rest of the phone rather than some display that will look the same as everything else but cost 4x as much. What caught my attention with my Moto-G Power was the 5Ah battery. Now THAT is an awesome feature, one that actually makes a real difference.

So yeah, Android can be A LOT less expensive than iOS unless you don't want it to be.

 

[Avro Arrow]

Exactly, couldn't have said it better myself

Jeez, I hope that's not true!

I think that this is totally over-hyped when it comes to Chinese phones because the overwhelming majority of them (INCLUDING iPhones) are made in China and I've yet to come across any Chinese hardware back doors. My first two smartphones were made by ZTE and my second two are Motorola. Motorola's phone division was bought by Lenovo. Since Lenovo is based in Beijing, that means my Moto G Power is Chinese but there's nothing dangerous about it. I think that you might want to not believe every piece of American propaganda that you hear.

Do I think that all Chinese stuff is safe? I don't know if it is or not but I do know that I've never come across a Chinese device that wasn't safe. I've also learnt to take American propaganda with a grain of salt ever since Dubyah said "WEAPONS OF MASS DESTRUCTION".

Less than two years ago, you'd think that all hackers were Russian and now everyone says that they're Chinese so which is it? I bet the real hackers are probably in Albania (for example, I don't know if they really are) or something and laughing their butts off at how the Americans keep looking in the wrong places for them. Hell, they could even be here in Canada and pretending to be Chinese. It's not like the Americans would know the difference or care enough to find out if it means that they get to demonise the Chinese even more.

Q: What's the difference between Americans and Russians?
A: Americans believe their own propaganda.

 

[woofer]

Jeez, I hope that's not true!

I think that this is totally over-hyped when it comes to Chinese phones because the overwhelming majority of them (INCLUDING iPhones) are made in China and I've yet to come across any Chinese hardware back doors. My first two smartphones were made by ZTE and my second two are Motorola. Motorola's phone division was bought by Lenovo. Since Lenovo is based in Beijing, that means my Moto G Power is Chinese but there's nothing dangerous about it. I think that you might want to not believe every piece of American propaganda that you hear.

Do I think that all Chinese stuff is safe? I don't know if it is or not but I do know that I've never come across a Chinese device that wasn't safe. I've also learnt to take American propaganda with a grain of salt ever since Dubyah said "WEAPONS OF MASS DESTRUCTION".

Less than two years ago, you'd think that all hackers were Russian and now everyone says that they're Chinese so which is it? I bet the real hackers are probably in Albania (for example, I don't know if they really are) or something and laughing their butts off at how the Americans keep looking in the wrong places for them. Hell, they could even be here in Canada and pretending to be Chinese. It's not like the Americans would know the difference or care enough to find out if it means that they get to demonise the Chinese even more.

Q: What's the difference between Americans and Russians?
A: Americans believe their own propaganda.

It seems the Lithuanians found some sketchy Chinese phones (for their own market?).

Lithuania's Defense Ministry advises consumers to toss out their Chinese phones

These recommendations are not born out of a concern for privacy or Chinese tracking, as was the case here in the US. Instead, Lithuania is more worried...

www.google.com

The disturbing part is that the built-in censorship feature can be activated remotely, so what else can be "activated" remotely that has not been found so far?

 

[Shadowfoxy]

Well a lot of unanswered questions here ? main takeaway is you have to be not that savy - oh yippee I won a prize .
Who runs the SMS service? and who allows it?

When it comes to telcos - why are do they allow spammers, spoofers, unknown call backs to 900 numbers ?in some countries

If this example -where does the money come from - google play?
your own ISP or telco ? or do you have to enter a credit card?

Too many unanswered questions.

Yes occasionally it is very hard to let people really know they have win a prize

It's a pretty basic scam that would be platform independent, they aren't actually exploiting the os, they're exploiting the user's ignorance, so it would totally work fine on iOS too.

With your mobile provider you can subscribe to services that show up on your mobile bill, all you have to do is text the right code to the right short number and bam you subscribe to a monthly charge. You can actually have this disabled with your mobile provider, some have it off by default unless you requested it on. Basically your mobile provider will bill you and then pay whatever service you subscribed to, so it doesn't require entering your credit card or Google pay or anything that might tip the user off, the service is supposed to send you a text confirmation but since the service is malicious for scam purposes I'm guessing that doesn't happen? I would never fall for something this obvious so I can't say for sure, but that's the usual premise.

 

[kiwigraeme]

It's a pretty basic scam that would be platform independent, they aren't actually exploiting the os, they're exploiting the user's ignorance, so it would totally work fine on iOS too.

With your mobile provider you can subscribe to services that show up on your mobile bill, all you have to do is text the right code to the right short number and bam you subscribe to a monthly charge. You can actually have this disabled with your mobile provider, some have it off by default unless you requested it on. Basically your mobile provider will bill you and then pay whatever service you subscribed to, so it doesn't require entering your credit card or Google pay or anything that might tip the user off, the service is supposed to send you a text confirmation but since the service is malicious for scam purposes I'm guessing that doesn't happen? I would never fall for something this obvious so I can't say for sure, but that's the usual premise.

Thanks for the answer - when I ran my business - with a guess phone that when straight out - first easy thing is to ban 900 numbers - did it on staff phones as well - I had free calling to Australia - had to ban it on the guest phone - as some Aussie banks had short numbers where cost was shared. We do not have shared cost in NZ - but I believe Americans used to able to get revenge when they knew someone was away - by calling their phone and leaving line open .
Next you have to let telco know - they can not receive reverse charges ( collect call) - public phones have a certain beep signal- some operators might miss it - on an operator assisted call.
When I had copper lines - I destroyed all unused access points behind wall- incase some plugged a phone in
Given all that - I believe there were other ways - numbers that could be called that could cost you - but not widely known and most people not that horrible

 

[kiwigraeme]

When I was working in London at one company - after traders gone home - would sometimes - use one of the free lines to NY -and dial 9 and US number to speak with friends . 30 years ago when calls were expensive . This was a rich company - the free line was a sunk costs - so only the US national call costed the Head Company - but not the London office .
When I worked for a Oil company in London - we used to laugh seeing calls to Nigeria by the cleaners - It was the corporate Head Office - they didn't care about money - unlike the Admin Head Office just outside London that had lots of workers

 

[rmcrys]

Yes, because Androids are so cheap after all!!

Remind me again how much the Samsungs cost these days??

As of today I can buy at local store a brand new android for about 79€ (Android 10) and over 150€ for Android 12. The cheapest Samsung costs around 2.5x less than the cheapest iPhone... (and even charges over USB-C, like my 10€ bike light, a myth on the iPhone ecosystem)

Remind me why stores get a 30% cut of sales

If you had a mall with empty stores, would you rent those stores or let companies use those stores for free? And would you allow other companies to manage YOUR mall and dictate the rules? No to both so...

I think you get the picture.

The difference between American and Chinese spyware is that Americans tend to be more sophisticated and spin it as security while the Chinese straight up don't give a ****. I very much doubt Apple's security and privacy claims.

A big part of the "very concerned about privacy" play games online, use multiple social networks and have an account on several gaming platforms. That alone allows hundreds of sources for lack of security... but no, they are worried with the OS lolol

Even very known presidents use standard phones (iOS and Android) and governments Windows without any extra measures (only official apps are allowed) which shows how even governments are very little concerned (and how false are all these claims) about the OS itself, because they know the issue are many apps outside the official stores and websites you visit.

 

[captaincranky]

I miss the 2000's.

So do I. But mostly for the reason I was only 52 when they started.