Malware in Android apps (Example GriftHorse)

[German]Android Malware has become one of the most problematic security issue in 2020/2021. Actually, I could write about malware-infected apps almost every day. Today, I'd like to share a case from a few days ago about the so-called GriftHorse malware, which has infected more than 10 million devices worldwide.


Android users are more and more in danger of getting malware on their system by downloading apps from Google Play Store or alternative app stores. A few days ago, I had described the case of a barcode scanner app that opened web pages sporadically on the blog (see Android App Barcod Scanner with Trojan – opens random websites). But there are more dangerous malware for Android that comes to devices with apps.

Example GriftHorse malware

It's been a few weeks since I saw the following tweet on Twitter warning about this Android malware. Some details are described in this article.

GriftHorse Android Malware

Security vendor Zimperum has discovered the Android malware in question in various apps. Zimperum researchers Aazim Yaswant & Nipun Gupta, who have been tracking the GriftHorse malware for months, called it "one of the most widespread campaigns the zLabs threat research team has seen in 2021."

Security researchers estimate that those behind the GriftHorse malware have infected more than 10 million Android devices in over 70 countries. The estimate of this gang's revenue is from $1.5 million to as much as $4 million per month. The damage is in the hundreds of millions of euros.


Forensic investigation of the Android Trojan attack with GriftHorse indicates that the threat group has been running this campaign since November 2020. These malicious applications were initially distributed through both Google Play Store and third-party application stores.

These malicious Android applications seem harmless when looking at the description in the store and the requested permissions. However, this changes when users are charged month after month for the premium service they have subscribed to without their knowledge and consent.

  • If users install the Android apps infected with GriftHorse, the Trojan starts annoying them with pop-ups and notifications about prizes won and special offers.
  • Users who tap on these messages are redirected by the Trojan to websites where the phone number has to be confirmed to accept the offer.
  • However, by entering the phone number, users sign up for premium SMS services that cost over €30 ($35) per month and is tapped by the GriftHorse gang.

Zimperium zLabs has reported its findings to Google, and the malicious apps have since been removed from the Google Play Store. However, the malicious apps are still available in unsecured third-party app repositories, so the risk of sideloading apps to Android mobile devices remains. Details and a list of affected apps can be found at Zimperum in this blog post. In the meantime, there is an app called Defense Allicance that takes care of app security (see this Zimperum article).

What helps against such infections

The last years I arguemented that users should only download apps from the Google Play Store if possible, because Google checks the app and also Google Play Protect makes sure that such apps don't get onto users' devices. But this obviously only works very poorly. Currently, Android users can only use the following options to minimize the risk:

  • Limit the number of apps installed on devices, relying on known developers.
  • Avoid installing apps from third-party stores if possible – and have the .apk downloads checked on Virustotal before installation. 
  • Scan the apps by a security solutions from various providers such as Malwarebytes etc. on the Android device. In case of known malware, the apps are often expelled.

And finally, keep your eyes open for any unusual activity on the device (it gets warm, the battery suddenly dies quickly, Android responds sluggishly, links are opened, etc.). Above all, do not respond to links in notifications that promise offers or prizes and then enter personal data.

Cookies helps to fund this blog: Cookie settings

This entry was posted in Android, Security and tagged , , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *