13.1 C

Everything About Infectious Android Malware Grifthorse Trojan

A new malware has recently been detected worldwide. Around 10 million Android phone users have succumbed to this malware. It’s a surprise to hear, isn’t it? How is it possible to attack such a large population at once? 

This particular malware has reached 10 million people, not just through one application but with the help of various applications. There is no shortage of free software in the Play Store. Most Android phone users start using the application by downloading and installing it for free without verifying any application.

This one mistake helps the malware to reach so many people. The rest of the details about Android Malware Grifthorse Trojan are discussed below:

How did Android Malware Grifthorse Trojan malware attack 10 million phones?

In the present era, cybercrime is increasing day by day. Since most banking systems are controlled with mobile phones, hackers are now creating mobile phone-centric malware. Hackers always try to gain access to any endpoint. 

What could be better endpoint access than the Android phone where you manually give all the access when installing the application. Basically, this GriftHorse Trojan is being used in many free applications available in the Google Play Store. 

These applications offer their services for free, but in return, they take away a lot without your knowledge. When you install an application under the GriftHorse Trojan, the app takes away access to calls, messages, internet, etc. from you. 

The actual attack of this malware is found a few months later when the bill for the paid subscription goes out of the user’s account which the user has never used.

How does GriftHorse Trojan work on Android?

The Apache Cordoba Framework is used to develop these Trojans. Apache Cordova primarily allows the use of HTML5, CSS3, and JavaScript in mobile applications. This allows the application to auto-update on Android phones, without the need for manual updates. 

Although this framework is used to make the application more user-friendly and provide better security, the same technology also enters malicious code into the application server. However, it further undermines security. 

After installing and running the application, the encrypted files are stored in the APK’s “assets/www” folder. Then those encrypted files are decrypted using “AES / CBC / PKCS5Padding”. Once the decryption is complete then the file index.html is then loaded using the WebView class.

Because of using JS, this trojan works in real-time. That’s why the main functionality source code is stored in the js/index.js file. This file is basically used for calling appConf which adds Google Advertising ID (AAID) for Android devices. 

Appconf Data Structure is created with the Appsflyer UID collected after launching Appsfly using the Dave key. After the necessary checks, control of the program is assigned to GetData ().

Encrypting the value of appConf with an HTTP POST request, the GetData () function established a communication between the application and the C&C server. When an encrypted response is received, AES is used to decrypt it and then Cordoba requests a GET using InAppBrowser.

The configuration to send notifications is received in the response and displayed five times every hour, as shown in the following screenshot. The reason for using this type of recurring notification is to get the user’s attention and navigate the app.

The second level CandC domain is always the same regardless of the victim’s application or geolocation, and the GET request to that server moves the browser to the third level URL.

The third step URL shows the last page asking for the victim’s phone number and subscribing to various paid services and premium subscriptions.

The on-page JavaScript is responsible for the behavior of malicious applications due to the interaction between the web and mobile resources.

There are two variants of the campaign which differ by the interaction with the victim: 

  •  First variant: displays a “Continue” or “Click” button, a click on which initiates an action to send SMS as shown in the capture screen above. This URI is analyzed. Example: “SMS: 1252? Body = TREND frcql1sm”. 
  • The second variant: requires the entry and registration of the victim’s phone number in the backend of the server. The malicious behavior is therefore the same as in the first variant. 

JavaScript is so powerful and has excellent interaction with the web application that’s why it can easily trigger actions locally in a web view. There may be a possibility to collect data from devices including IMEI and IMSI. 

Applications that carry the GriftHorse Trojan:

Zimperium zLabs lists some apps that carry GriftHorse Trojans. So everyone is advised not to install and use these applications.

  • Call Recorder Pro
  • Handy Translator Pro
  • Heart Rate and Pulse Tracker
  • Geospot: GPS Location Tracker
  • iCare – Find Location
  • My Chat Translator
  • Bus – Metrolis 2021
  • Locker Tool
  • Fingerprint Changer
  • Racers Car Driver
  • Keyboard Themes
  • Safe Lock
  • Heart Rhythm
  • Smart Spot Locator
  • OFFRoaders – Survive
  • Bus Driving Simulator
  • Fingerprint Defender
  • Launcher iOS 15
  • Hunt Contact
  • Photo Effect Pro
  • Smart Call Recorder

Of the many apps infected by the GriftHorse Trojan, only a few are named here. 

When did this malware attack start?

Zimperium zLabs published an article on malware, stating that the GriftHorse Trojan had started cheating on Android phones since approximately November 2020. And this malware is also available in third-party applications including Play Store. 

How much money has been hacked by this GriftHorse malware?

Malware is always hidden on your phone. So its activity cannot be easily identified. Malware uses this feature to snatch money from Android phone users. According to sources, the GriftHorse Trojan has now stolen approximately hundreds of millions of Euros.

Final Words

Zimperium zLabs further stated in their article that this Android Malware Grifthorse Trojan exists in more than 70 countries around the world. An app infected with this malware changes language depending on the user’s IP address.

It is possible to save everyone from the harm of this malware by raising awareness. So if you are using any of the applications in this list, there is only one suggestion for you, uninstall that application right now. 

And if any of your friends or family members have used these apps, warn them not to use them either. So that your relatives can also stay safe from this malware scam.

Bill Thamas
Bill Thamas is a gaming freak. He is always into different kinds of games. He started his career as a tier 1 PUBG player and won many competitive tournaments. It has been a while since he started writing gaming-related content for Techalrm. His interests in different kinds of games keep him always aware of the updated and upcoming games. As a member of the gamer’s community, he gets the review and bug updates regularly. However, he is a game reviewer himself.

latest articles

explore more


Please enter your comment!
Please enter your name here