Don't look a GriftHorse in the mouth: Trojan trampled 10 million Android devices

You may be advised not to look a gift horse in the mouth, lest you appear ungrateful for questioning its health. But you probably want to examine your Android phone for GriftHorse, or rather for any of the 200 or so apps with different names that incorporate the malicious code.

Mobile security firm Zimperium, which first identified the GriftHorse Android Trojan, says the malware has infected more than 10 million Android devices worldwide; a fraction of one per cent of active 'droid devices, but still misery for literally millions of people.

In a blog post on Wednesday, Zimperium researchers Aazim Yaswant and Nipun Gupta said that Trojan code dubbed GriftHorse has been spotted in more than 200 malicious apps in at least 70 different countries and has been afflicting Android phones since November 2020.

Zimperium partners with Google to defend the ad giant's Play Store and thus has already informed the Chocolate Factory of its findings. Google, we're told, has already tamed its online souk. So reviewing the lengthy list of affected apps in the Zimperium's blog post probably isn't necessary for Android devices tied to Google Play.

But the subversive code may still be present in Android apps distributed through third-party stores, the researchers said, coincidentally echoing a talking point favored by Google and Apple about maintaining their app store control for the sake of security.

GriftHorse apps are designed to subscribe Android users to premium services without their permission, resulting in charges of about €36 per month ($42) until noticed and cancelled by the victim. This particular scam, the researchers speculate, may have netted the GriftHorse creators many millions of euros.

"Upon infection, the victim is bombarded with alerts on the screen letting them know they had won a prize and needed to claim it immediately," explain Yaswant and Gupta. "These pop ups reappear no less than five times per hour until the application user successfully accepts the offer."

Once the user accepts, they explain, the malicious code redirects the victim to a webpage tailored for their specific location that then asks for a phone number as verification. That number is actually submitted to a premium SMS service subscription that adds an extra charge to the victim's monthly mobile bill.

What GriftHorse apps have in common is that they were built with the open source Apache Cordova framework, which relies on web technology like HTML, CSS, and JavaScript and provides a way to automatically push updates to apps without user intervention.

Once installed, a GriftHorse app fetches the encrypted files stored in the assets/www folder of the APK and decrypts them using AES/CBC/PKCS5Padding. The resulting index.html file then gets loaded via the Android WebView class. It's linked to an js/index.js file that sets up a Google Advertising ID and makes a POST request with an encrypted payload to the command-and-control (C2C) server.

The server responds with more encrypted data – the second-stage C&C URL, which is used to make a GET request via Cordova’s InAppBrowser to fetch the configuration data for pushing gift notifications.

If the user responds to the notifications, a third-stage URL is presented as an in-app web page to collect the victim's phone number. The scheme relies on embedded JavaScript code to interact with mobile device resources.

• Microsoft warns: Active Directory FoggyWeb malware being actively used by Nobelium gang
• Latest FinFisher spyware upgrades 'particularly worrying,' says Kaspersky
• Dissected: A dropper-as-a-service miscreants pay to push their malware onto potentially 1,000s of victims
• Windows 11 comes bearing THAAS, Trojan Horse as a service

"The interaction between the WebPage and the in-app functions is facilitated by the JavaScript Interface, which allows JavaScript code inside a WebView to trigger actions in the native (application) level code," explain Yaswant and Gupta. "This can include the collection of data about the device, including IMEI, and IMSI among others."

The researchers note that GriftHorse's success can in part be attributed to not reusing common strings in the application code, which avoids pattern-based detection and blocking.

The Register asked Google whether it anticipates the need to look into limiting the update mechanisms used in Android apps built with Apache Cordova, but we've not heard back. ®