How GriftHorse Trojan Android Malware Attacks:
The new Trojan malware deceives Android users into sign up for a variety of paid services. Following their successful attack, affected Android users are required to pay around $41 in monthly premium subscription fees.
The Trojans are built using the Apache Cordova mobile application development framework, according to Zimperium’s latest blog post. For cross-platform mobile development, Cordova allows developers to use standard web technologies such as HTML5, CSS3, and JavaScript. Developers can use this technology to push out app updates without requiring users to do so manually.
While this framework improves the user’s experience and security, it can also be used to host malicious code on the server and develop an application that executes the code in real-time. The application appears as a web page with HTML, CSS, JavaScript, and image references.
When an app is launched, for example, AES is used to decrypt the encrypted files in the “assets/www” folder. After a little more digging, the source code for the core functionality uses the GetData() function to encrypt an HTTP POST request and establish communication between the application and a first-stage command-and-control (C2) server.
The app then receives an encrypted response, which is decrypted with AES to obtain a C2 URL for the second stage. According to the analysis, it also performs a GET request using Cordova’s “InAppBrowser” function to uncover a third-stage URL, and it begins sending user notifications about the alleged “prize” once every hour, five times in a row.
Regardless of the application or the victim’s geolocation, the second-stage C2 domain is always the same.
The third-stage URL redirects to a final page that requests the victim’s phone number and enrolls them in a variety of paid services and premium subscriptions.
According to researchers, the JavaScript Interface facilitates interaction between the WebPage and in-app functions by allowing JavaScript code inside a WebView to trigger actions in native (application-level) code. This can include gathering information about the device, such as the IMEI and IMSI numbers, among other things.
GriftHorse’s success, according to the researchers, is due in part to the fact that it avoids pattern-based detection and blocking by not reusing common strings in the application code.