GriftHorse malware has infected 10 million Android devices • The Register

You may be advised not to look a gift horse in the mouth for fear of appearing ungrateful and jeopardizing its health. But you’ll probably want to look at your Android phone for GriftHorse, or rather one of the 200 or so apps with different names that embed the malicious code.

Mobile security company Zimperium, which first identified the GriftHorse Android Trojan, says the malware has infected more than 10 million Android devices worldwide; a fraction of a percent of active droid devices, but still misery for literally millions of people.

In a blog post published Wednesday, Zimperium researchers Aazim Yaswant and Nipun Gupta said the Trojan code dubbed GriftHorse has been spotted in more than 200 malicious apps in at least 70 different countries and has plagued Android phones since November 2020.

Zimperium is teaming up with Google to defend the advertising giant’s Play Store and has thus already informed the Chocolate Factory of its conclusions. Google, we are told, has already tamed its online souk. So, reviewing the long list of affected apps in Zimperium’s blog post is probably not necessary for Android devices linked to Google Play.

But the subversive code can still be present in Android apps distributed through third-party stores, the researchers said, coincidentally echoing a favored talking point by Google and Apple about maintaining control of their app store for more. security reasons.

GriftHorse apps are designed to subscribe Android users to premium services without their authorization, which incurs a fee of around € 36 per month ($ 42) until they are noticed and canceled by the victim . This particular scam, researchers speculate, may have earned the creators of GriftHorse several million dollars.

“In the event of infection, the victim is bombarded with on-screen alerts letting them know that they have won a prize and must claim it immediately,” Yaswant and Gupta explain. “These pop-ups reappear no less than five times per hour until the app user successfully accepts the offer.”

Once the user agrees, they explain, the malicious code redirects the victim to a web page suitable for their specific location which then asks for a phone number as verification. This number is in fact subject to a subscription to a premium SMS service which adds a supplement to the victim’s monthly mobile bill.

What GriftHorse apps have in common is that they were built with the open source Apache Cordova framework, which leverages web technologies like HTML, CSS, and JavaScript and provides a way to automatically push updates. update to applications without user intervention.

Once installed, a GriftHorse application recovers encrypted files stored in the assets/www APK file and decrypts them using AES/CBC/PKCS5Padding. The resultant index.html file is then loaded through the Android WebView class. It is related to a js/index.js which sets up a Google Advertising ID and sends a POST request with an encrypted payload to the Command and Control (C2C) server.

The server responds with more encrypted data – the second step C&C URL, which is used to make a GET request through Cordova’s InAppBrowser to retrieve configuration data to send gift notifications.

If the user responds to the notifications, a third step URL is presented as an in-app web page to collect the victim’s phone number. The scheme relies on built-in JavaScript code to interact with the resources of mobile devices.

The interaction between the web page and the functions built into the application is facilitated by the JavaScript interface, which allows JavaScript code inside a web view to trigger actions in native level code (application ) “, explain Yaswant and Gupta. “This may include collecting data on the device, including IMEI and IMSI, among others.”

The researchers note that GriftHorse’s success can in part be attributed to the non-reuse of common strings in app code, which avoids pattern-based detection and blocking.

The register asked Google if they anticipate the need to look at limiting the update mechanisms used in Android apps built with Apache Cordova, but we haven’t heard back. ®

Source link

Steven L. Nielsen

Leave a Reply

Your email address will not be published.