This isn’t your ordinary household malware. Its mission is to sucker users into permissions that allow the cybercrooks to force monthly premium service charges. Business is good, too. So far, researchers estimate that the GriftHorse mob is making between $1.5 million to $4 million per month.
Where trouble ensues
Zimperium’s zLabs team said the malware is delivered to consumers by malicious Android apps that appear harmless at first. However, chaos ensues after the apps hoodwink users into granting certain permissions. At that point, victims start getting charged every month for premium paid services that they get subscribed to without their knowledge or consent.
“Upon infection, the victim is bombarded with alerts on the screen letting them know they had won a prize and needed to claim it immediately. These pop ups reappear no less than five times per hour until the application user successfully accepts the offer. Upon accepting the invitation for the prize, the malware redirects the victim to a geo-specific webpage where they are asked to submit their phone numbers for verification,” Zimperium’s Aazim Yaswant and Nipun Gupta explained.
“But in reality, they are submitting their phone number to a premium SMS service that would start charging their phone bill over €30 [$40 USD] per month. The victim does not immediately notice the impact of the theft, and the likelihood of it continuing for months before detection is high, with little to no recourse to get one’s money back.”
Zimperium warned Google about the threat, and the company responded by verifying and removing the malware apps from its Play Store. However, the malicious applications might still be available on unsecured third-party app repositories or on an Android user’s phone. To help users identify the problem-causing apps, Zimperium offers a full list of the affected apps here.