GriftHorse Android Trojan Stole Millions from 10 Million Users

GriftHorse Android Trojan Stole Millions from 10 Million Users

More than 10 million Android users are being impacted by the new GriftHorse mobile virus. According to security experts, these typical premium service scams are using phishing techniques to make $41 every month per user by

GriftHorse apps in all categories were discovered by Zimperium on Google Play and third-party app stores. GriftHorse, a Trojan code discovered in more than 200 malicious apps in at least 70 countries, has been afflicting Android phones since November 2020, according to Zimperium researchers Aazim Yaswant and Nipun Gupta. Google has taken down the flagged apps, but there could be more play store and a variety of unofficial store apps on people’s phones could still be active.

Distribution of GriftHorse Android malware victims. Source: Zimperium.


How GriftHorse Trojan Android Malware Attacks:

The new Trojan malware deceives Android users into sign up for a variety of paid services. Following their successful attack, affected Android users are required to pay around $41 in monthly premium subscription fees.

The Trojans are built using the Apache Cordova mobile application development framework, according to Zimperium’s latest blog post. For cross-platform mobile development, Cordova allows developers to use standard web technologies such as HTML5, CSS3, and JavaScript. Developers can use this technology to push out app updates without requiring users to do so manually.

While this framework improves the user’s experience and security, it can also be used to host malicious code on the server and develop an application that executes the code in real-time. The application appears as a web page with HTML, CSS, JavaScript, and image references.

When an app is launched, for example, AES is used to decrypt the encrypted files in the “assets/www” folder. After a little more digging, the source code for the core functionality uses the GetData() function to encrypt an HTTP POST request and establish communication between the application and a first-stage command-and-control (C2) server.

The app then receives an encrypted response, which is decrypted with AES to obtain a C2 URL for the second stage. According to the analysis, it also performs a GET request using Cordova’s “InAppBrowser” function to uncover a third-stage URL, and it begins sending user notifications about the alleged “prize” once every hour, five times in a row.

Regardless of the application or the victim’s geolocation, the second-stage C2 domain is always the same.

The third-stage URL redirects to a final page that requests the victim’s phone number and enrolls them in a variety of paid services and premium subscriptions.

According to researchers, the JavaScript Interface facilitates interaction between the WebPage and in-app functions by allowing JavaScript code inside a WebView to trigger actions in native (application-level) code. This can include gathering information about the device, such as the IMEI and IMSI numbers, among other things.

GriftHorse’s success, according to the researchers, is due in part to the fact that it avoids pattern-based detection and blocking by not reusing common strings in the application code.

GriftHorse Apps:

  • 100% Projector for Mobile Phone
  • 3D Camera To Plan
  • Amazing Sticky Slime Simulator ASMR\u200f
  • Amazing Video Editor
  • AR Phone Booster – Battery Saver
  • Bag X-Ray 100% Scanner
  • Battery Live Wallpaper 4K
  • Bus – Metrolis 2021
  • Bus Driving Simulator
  • Call Blocker-Spam Call Blocker
  • Call Blocker-Spam Call Blocker
  • Call Recorder Pro
  • Call Record Pro
  • Call Recorder iCall
  • Caller ID & Spam Blocker
  • CallerID
  • Caller-x
  • CallHelp: Second Phone Number
  • Chat Translator All Messengers
  • CIAO – Live Video Chat
  • Cinema Hall: Free HD Movies
  • Clap
  • Clap To Find My Phone
  • ClipBuddy
  • Color Call Changer
  • Coupons & Gifts: InstaShop
  • CutCut Pro
  • Daily Horoscope & Life Palmestry
  • Dating App – Sweet Meet
  • Easy Bass Booster
  • Easy TV Show
  • Ela-Salaty: Muslim Prayer Times & Qibla Direction
  • English Arabic Translator direct
  • Face Analyzer
  • FastPulse – Heart Rate Monitor
  • FindContact
  • Fingerprint Changer
  • Fingerprint Defender
  • Fitness Point
  • Fitness Trainer
  • Forza H Mobile 4 Ultimate Edition
  • PikCho Editor app
  • Plant Camera Identifier
  • Heart Rate and Meal Tracker
  • Heart Rate and Pulse Tracker
  • Heart Rate Pro Health Monitor
  • Heart Rhythm
  • HOO Live – Meet and Chat
  • Horoscope: Fortune
  • Hunt Contact
  • iCare – Find Location
  • iConnected Tracker
  • Icony
  • Idle Gun Tycoo\u202an\u202c
  • Instant Speech Translation
  • Intelligent Translator Pro
  • iSalam Qibla Compass
  • iTranslator_ Text & Voice & Photo
  • Keyboard Themes
  • Keyboard: Virtual Projector App
  • KFC Saudi – Get free delivery and 50% off coupons
  • Language Translator-Easy&Fast
  • Launcher iOS 15
  • Launcher iOS for Android
  • Lifeel – scan and test
  • Live Mobile Number Tracker
  • Live Wallpaper & Background
  • Loca – Find Location
  • Locatoria – Find Location
  • Locker Tool
  • Ludo Game Classic
  • Ludo Speak v2.0
  • Mine Easy Translator
  • Mobile Things Finder
  • My Chat Translator
  • My Locator Plus
  • OFFRoaders – Survive
  • Parallax paper 3D
  • Phone Caller Screen 2021
  • Phone Finder by Clapping
  • Phone Search by Clap
  • PhoneControl Block Spam Calls
  • Photo Effect Pro
  • Photo Lab
  • Piano Bot Easy Lessons
  • Handy Translator Pro
  • Pony Video Chat-Live Stream
  • Qibla Compass (Kaaba Locator)
  • Qibla correct Quran Coran Koran
  • Qibla direction watch (compass)
  • Qibla Finder – Qibla Direction
  • Qibla Pass Direction
  • Qibla Ultimate
  • QR Code Reader – Barcode Scanner
  • QR Reader Pro
  • R Circle – Location Finder
  • Racers Car Driver
  • Safe Lock
  • Scanner App Scan Docs & Notes
  • Scanner Pro App: PDF Document
  • Screen Mirroring TV Cast
  • Second Translate PRO
  • Skycoach
  • Slime Simulator
  • Smart Call Recorder
  • Smart Spot Locator
  • SnapLens – Photo Translator
  • Soul Scanner – Check Your
  • Squishy and Pop it
  • Stickers Maker for WhatsApp
  • Street Cars: pro Racing
  • TagsContact
  • Translate It – Online App
  • Truck – RoudDrive Offroad
  • TrueCaller & TrueRecoder
  • Vector arts
  • Video & Photo Recovery Manager 2
  • VPN Zone – Fast & Easy Proxy
  • What’s Me Sticker
  • WiFi Unlock Password Pro X
  • You Frame
  • Zodiac : Hand
  • Быстрые кредиты 24\7
  • Free Calls WorldWide
  • Free Coupons 2021
  • Free Islamic Stickers 2021
  • Free Translator Photo
  • FX Keyboard
  • Geospot: GPS Location Tracker
  • GetContacter
  • GPS Phone Tracker – Family Locator

Victims are tricked into downloading Android apps that appear to be safe and legitimate. The most popular malicious app — a translator — has received at least 500,000 downloads and ranges from puzzle games and utilities to dating software, food, and drink.

Source: zLabs

Prevention and Safety:

Mobile application sources and permissions:

The researchers discovered that 10.5 percent of the 68,051 apps they looked at shared personal information with third-party services without disclosing it in their privacy policies. In addition, only 22.2 percent of the 68,051 apps named third-party partners or affiliates in their privacy policies, with most apps concealing where user data is collected.

Sensor data, call logs, camera and microphone access, location, storage, and contact lists are among the permissions that apps can request. While many legitimate apps require access to certain features, you should always be aware of which apps have access to which data in order to avoid unnecessary security risks or data leaks.

No matter which mobile operating system we use, download apps from verified, trusted sources is the best option to maintain your security and privacy. To be on the safe side, you should uninstall any application that you no longer require.

Mobile malware:

Mobile malware has become as popular as malicious software but with these variants infecting Android, iOS, and sometimes make their way into official app stores. Malware developers frequently use the technique of submitting a legitimate-looking mobile application and then uploading malicious functions once a user base has been established.

It’s recommended that you download and install an antivirus software solution for mobile devices, however, you will probably be safe enough as long as you do not jailbreak your phone and Instead of third-party repositories, you only download the app. APKs from trusted sources.



GriftHorse Android TROJAN steals millions from over 10 million VICTIMS Globally. Zimperium Mobile Security Blog. (2021, September 29). Retrieved September 30, 2021, from

Seals, A. T., & Seals, T. (n.d.). GriftHorse money-stealing TROJAN Takes 10M Android users for a ride. Threatpost English Global threatpostcom. Retrieved September 30, 2021, from