Don't look a GriftHorse in the mouth: Trojan trampled 10 million Android devices

Pushy code pressured people to sign up for premium services, netted 'millions of euros'


You may be advised not to look a gift horse in the mouth, lest you appear ungrateful for questioning its health. But you probably want to examine your Android phone for GriftHorse, or rather for any of the 200 or so apps with different names that incorporate the malicious code.

Mobile security firm Zimperium, which first identified the GriftHorse Android Trojan, says the malware has infected more than 10 million Android devices worldwide; a fraction of one per cent of active 'droid devices, but still misery for literally millions of people.

In a blog post on Wednesday, Zimperium researchers Aazim Yaswant and Nipun Gupta said that Trojan code dubbed GriftHorse has been spotted in more than 200 malicious apps in at least 70 different countries and has been afflicting Android phones since November 2020.

Zimperium partners with Google to defend the ad giant's Play Store and thus has already informed the Chocolate Factory of its findings. Google, we're told, has already tamed its online souk. So reviewing the lengthy list of affected apps in the Zimperium's blog post probably isn't necessary for Android devices tied to Google Play.

But the subversive code may still be present in Android apps distributed through third-party stores, the researchers said, coincidentally echoing a talking point favored by Google and Apple about maintaining their app store control for the sake of security.

GriftHorse apps are designed to subscribe Android users to premium services without their permission, resulting in charges of about €36 per month ($42) until noticed and cancelled by the victim. This particular scam, the researchers speculate, may have netted the GriftHorse creators many millions of euros.

"Upon infection, the victim is bombarded with alerts on the screen letting them know they had won a prize and needed to claim it immediately," explain Yaswant and Gupta. "These pop ups reappear no less than five times per hour until the application user successfully accepts the offer."

Once the user accepts, they explain, the malicious code redirects the victim to a webpage tailored for their specific location that then asks for a phone number as verification. That number is actually submitted to a premium SMS service subscription that adds an extra charge to the victim's monthly mobile bill.

What GriftHorse apps have in common is that they were built with the open source Apache Cordova framework, which relies on web technology like HTML, CSS, and JavaScript and provides a way to automatically push updates to apps without user intervention.

Once installed, a GriftHorse app fetches the encrypted files stored in the assets/www folder of the APK and decrypts them using AES/CBC/PKCS5Padding. The resulting index.html file then gets loaded via the Android WebView class. It's linked to an js/index.js file that sets up a Google Advertising ID and makes a POST request with an encrypted payload to the command-and-control (C2C) server.

The server responds with more encrypted data – the second-stage C&C URL, which is used to make a GET request via Cordova’s InAppBrowser to fetch the configuration data for pushing gift notifications.

If the user responds to the notifications, a third-stage URL is presented as an in-app web page to collect the victim's phone number. The scheme relies on embedded JavaScript code to interact with mobile device resources.

"The interaction between the WebPage and the in-app functions is facilitated by the JavaScript Interface, which allows JavaScript code inside a WebView to trigger actions in the native (application) level code," explain Yaswant and Gupta. "This can include the collection of data about the device, including IMEI, and IMSI among others."

The researchers note that GriftHorse's success can in part be attributed to not reusing common strings in the application code, which avoids pattern-based detection and blocking.

The Register asked Google whether it anticipates the need to look into limiting the update mechanisms used in Android apps built with Apache Cordova, but we've not heard back. ®

Similar topics


Other stories you might like

  • Developers offered browser-based fun in VSCode.dev and Java action in Visual Studio Code

    Looking at code here, there and (almost) everywhere

    Microsoft has whipped the covers off yet another take on code-in-the-browser with a lightweight version of Visual Studio Code, while unveiling the version 1.0 release of support for Red Hat Java in the freebie source wrangler.

    It comes after last month's preview of the code editor that runs entirely in the browser, and will doubtless have some users pondering the difference between this and Microsoft-owned GitHub's github.dev, which also pops a development environment into the browser. One of the biggest of those differences is a lack of compulsory integration with the VS source-shack; this is unavoidable with github.dev (the clue is, after all, in the URL.)

    VSCode.dev, on the other hand, will permit the opening up of a file from a local device (if the browser allows it and supports the File System Access API) in what looks for all the world like an instance of Visual Studio Code, except surrounded by the gubbins of a browser.

    Continue reading
  • No swearing or off-brand comments: AWS touts auto-moderation messaging API

    Automate everything – but while human moderation is hard, robot moderation tends not to work

    AWS has introduced channel flows to its Chime messaging and videoconferencing API, the idea being to enable automatic moderation of profanity or content that "does not fit" the corporate brand.

    Although Amazon Chime has a relatively small market share in the crowded videoconferencing market, the Chime SDK is convenient for developers building applications that include videoconferencing or messaging, competing with SDKs and services from the likes of Twilio or Microsoft's Azure Communication Services. In other words, this is aimed mainly at corporate developers building applications or websites that include real-time messaging, audio or videoconferencing.

    The new feature is for real-time text chat rather than video and is called messaging channel flows. It enables developers to create code that intercepts and processes messaging before they are delivered. The assumption is that this processing code will run on AWS Lambda, its serverless platform.

    Continue reading
  • UK government puts £5bn on the table in trawl for public sector networks services

    I dream of wires, say Whitehall’s big buyers

    The UK's central government procurement agency is chumming the waters around the market's swimmers, hoping to tempt suppliers into providing a range of computer network services and kit with a £5bn tender.

    The buying spree, which will officially begin when a framework agreement starts in fiscal 2023, involves a large spread of hardware, software and services around IT networks. Included are categories such as networking, internet and intranet software packages, network interfaces, network operating system software development services and so on.

    Crown Commercial Service, the cross-government buying organisation that sits within the Cabinet Office, has launched what is known as a "prior information notice" to start talking to suppliers before it forms the official competition to be on the framework: a group of contracted suppliers from which a huge number of public sector bodies can buy.

    Continue reading
  • Informatica UKI veep was rightfully sacked over Highways England $5k golf jolly, says tribunal

    Underling took customer on bucket list trip - and VP signed it off without checking

    Informatica's former UK & Ireland vice president was correctly sacked after letting a salesman take Highways England's executive IT director on a $5,000 golfing jaunt, the Employment Appeal Tribunal has ruled.

    Not only did Derek Thompson breach Informatica's anti-corruption policies but he also warned underlings to "be discreet" about the jolly – and told HR investigators "Why does anyone do any customer entertainment?" when asked how playing golf benefited the business.

    Thompson lost his appeal against a judge's earlier ruling [PDF] that his October 2017 sacking was reasonable, with the Employment Appeal Tribunal publishing its judgment [PDF] last week.

    Continue reading
  • Boeing's Starliner capsule corroded due to high humidity levels, NASA explains, and the spaceship won't fly this year

    Meanwhile Elon's running orbital tourist trips and ISS crew missions

    Boeing’s CST-100 Starliner capsule, designed to carry astronauts to and from the International Space Station, will not fly until the first half of next year at the earliest, as the manufacturing giant continues to tackle an issue with the spacecraft’s valves.

    Things have not gone smoothly for Boeing. Its Starliner program has suffered numerous setbacks and delays. Just in August, a second unmanned test flight was scrapped after 13 of 24 valves in the spacecraft’s propulsion system jammed. In a briefing this week, Michelle Parker, chief engineer of space and launch at Boeing, shed more light on the errant components.

    Boeing believes the valves malfunctioned due to weather issues, we were told. Florida, home to NASA’s Kennedy Space Center where the Starliner is being assembled and tested, is known for hot, humid summers. Parker explained that the chemicals from the spacecraft’s oxidizer reacted with water condensation inside the valves to form nitric acid. The acidity corroded the valves, causing them to stick.

    Continue reading
  • Research finds consumer-grade IoT devices showing up... on corporate networks

    Considering the slack security of such kit, it's a perfect storm

    Increasing numbers of "non-business" Internet of Things devices are showing up inside corporate networks, Palo Alto Networks has warned, saying that smart lightbulbs and internet-connected pet feeders may not feature in organisations' threat models.

    According to Greg Day, VP and CSO EMEA of the US-based enterprise networking firm: "When you consider that the security controls in consumer IoT devices are minimal, so as not to increase the price, the lack of visibility coupled with increased remote working could lead to serious cybersecurity incidents."

    The company surveyed 1,900 IT decision-makers across 18 countries including the UK, US, Germany, the Netherlands and Australia, finding that just over three quarters (78 per cent) of them reported an increase in non-business IoT devices connected to their org's networks.

    Continue reading
  • Huawei appears to have quenched its thirst for power in favour of more efficient 5G

    Never mind the performance, man, think of the planet

    MBB Forum 2021 The "G" in 5G stands for Green, if the hours of keynotes at the Mobile Broadband Forum in Dubai are to be believed.

    Run by Huawei, the forum was a mixture of in-person event and talking heads over occasionally grainy video and kicked off with an admission by Ken Hu, rotating chairman of the Shenzhen-based electronics giant, that the adoption of 5G – with its promise of faster speeds, higher bandwidth and lower latency – was still quite low for some applications.

    Despite the dream five years ago, that the tech would link up everything, "we have not connected all things," Hu said.

    Continue reading
  • What is self-learning AI and how does it tackle ransomware?

    Darktrace: Why you need defence that operates at machine speed

    Sponsored There used to be two certainties in life - death and taxes - but thanks to online crooks around the world, there's a third: ransomware. This attack mechanism continues to gain traction because of its phenomenal success. Despite admonishments from governments, victims continue to pay up using low-friction cryptocurrency channels, emboldening criminal groups even further.

    Darktrace, the AI-powered security company that went public this spring, aims to stop the spread of ransomware by preventing its customers from becoming victims at all. To do that, they need a defence mechanism that operates at machine speed, explains its director of threat hunting Max Heinemeyer.

    According to Darktrace's 2021 Ransomware Threat Report [PDF], ransomware attacks are on the rise. It warns that businesses will experience these attacks every 11 seconds in 2021, up from 40 seconds in 2016.

    Continue reading

Biting the hand that feeds IT © 1998–2021