With the increase of mobile device use in everyday life, it is no surprise to see cybercriminals targeting these endpoints for financial crimes.
Zimperium zLabs recently discovered an aggressive mobile premium services campaign that poses a threat to all Android devices by functioning as a Trojan that subscribes unsuspecting users to paid services, charging a premium that amounts to around 36 Euros ($42 US) per month.
The mobile application could have upwards of 10 million victims globally, and the total amount stolen could be well into the hundreds of millions of Euros, the zLabs report found. The applications were initially distributed through both Google Play and third-party application stores.
The campaign has targeted millions of users from over 70 countries by serving selective malicious pages to users based on the geo-location of their IP address and the local language.
While typical premium service scams take advantage of phishing techniques, this specific global scam has hidden behind malicious Android applications acting as Trojans, allowing it to take advantage of user interactions for increased spread and infection.
Looking a GriftHorse in the Mouth
The Zimperium zLabs researchers discovered this global premium services Trojan campaign through a rise in specific alerts from their on-device malware detection engine. Forensic evidence of this active Android Trojan attack, which zLabs named GriftHorse, suggests that the threat group has been running this campaign since November 2020.
The company reported the findings to Google, who verified the provided information and removed the malicious applications from the Google Play store.
However, the malicious applications are still available on unsecured third-party app repositories, highlighting the risk sideloading applications poses to mobile endpoints and user data and the need for advanced on-device security.
“The main purpose of this malware is to profit from premium subscriptions. The damage is purely economic,” explained Nicolás Chiaraviglio, vice president of security research at Zimperium. “Users should be extra cautious about downloading apps from third-party app stores and should monitor their accounts for unwanted premium subscriptions.”
He noted the malware is disguised as a set of very different types of applications to attract very different user profiles.
“The hackers created apps that look attractive and could actually be very useful. But the sole purpose of the apps is to subscribe these users to premium services,” he said. “At the same time, even when the user deletes the application, the subscription won’t be interrupted, generating even more damage.”
This technology enables developers to deploy updates to apps without requiring the user to update manually. While this framework can provide the user a better experience and security with legitimate apps, the very same technology can be abused to host the malicious code on the server and develop a nefarious application that executes this code in real-time.
Mobile Devices are a Financial Target
Chiaraviglio explained hackers are targeting mobile endpoints for financial crimes for three primary reasons: First, there are now billions of mobile devices, making their target market huge.
Second, mobile endpoints are now the primary method through which users perform financial activities, including banking, investments, payments and shopping. And third, the vast majority of mobile endpoints are completely unprotected by any security solutions.
Meanwhile, malware has been evolving to pursue economic profits and to avoid detection.
“We’ve seen a rise in mobile banking trojans, subscribers to premium services, ransomware and so on,” he said. “We can expect this trend to continue. Attackers continue to evolve the technology and techniques they use in order to make the detection trickier, so security vendors need to be constantly updating their techniques to keep up with malware evolution.”
The report noted that the GriftHorse Trojan developer’s patience and persistence will “probably not come to an end” even if this campaign is closed down, and warned that the threat to Android users will always be present, considering the innovative approaches used by malicious actors to infect the victims.
Last month, researchers at Zimperium zLabs detailed multiple instances of a new Android Trojan, FlyTrap, which has hit more than 10,000 victims via social media hijacking, third-party app stores and sideloaded applications.