Up to 10 million Android users hit by money-stealing malware — what to do

Green skull on smartphone screen.
(Image credit: Shutterstock)

A new Android malware campaign has been using corrupted apps to secretly enroll up to 10 million unsuspecting victims into paid-SMS subscriptions that can cost up to $35 per month, reports security firm Zimperium  in a blog post today (Sept. 29).

There are more than 200 of these infected apps, mostly consisting of utility and entertainment apps, and victims have been found in 70 countries worldwide, including the U.S., the rest of North America and most of Europe.

Several dozen infected apps were found in the official Google Play store and kicked out after Zimperium notified Google of their existence, but many more apps can still be found on third-party app stores. 

"These malicious Android applications appear harmless when looking at the store description and requested permissions, but this false sense of confidence changes when users get charged month over month for the premium service they get subscribed to without their knowledge and consent," says researcher Aazim Yaswant in the Zimperium report.

Zimperium calls the malware campaign "GriftHorse" and says it has been running since November 2020.

How to protect yourself from GriftHorse

To protect yourself from GriftHorse and similar Android malware campaigns, make sure you install apps only from the official Google Play store. In the most recent versions of Android, this means not allowing any apps to "install unknown apps." 

You'll also want to install and use one of the best Android antivirus apps. At the time of this writing, few of the GriftHorse-infected apps were recognized as malicious by most malware-detection engines, but that will change over the course of the day as Zimperium's report is read.

If you do fall victim to such a scam, contact your wireless carrier and explain that you did not sign up for this premium-SMS subscription willingly and you'd like it cancelled. You may or may not be able to get some money back.

Localized malware

The malicious component of each corrupted app reads the IP address of the victim's phone and the pops up alerts tailored to their victim's geographical location. If you're in Greece, the alert will be in Greek; if you're in the UK, it'll be in English. 

The alerts generally tell you that you've won a prize and need to claim it ASAP. If you don't respond right away, the alerts keeping popping up until you do. Then you're taken to a website — again tailored to your language — that asks you to enter your phone number so that you can be "verified" as the actual prize winner.

Don't do this. Once you enter your phone number, you'll be secretly signed up for a premium-SMS service that charges €30 — about $35 U.S. or £26  — each and every month. Zimperium estimates that victims enrolled in the scam subscription since it began may have lost as much as $230 each.

"The victim does not immediately notice the impact of the theft, and the likelihood of it continuing for months before detection is high, with little to no recourse to get one’s money back."

The GriftHorse operators have managed to avoid the attention of most security researchers and antivirus firms by constantly switching to new domains for their websites, and by using IP-address filters to localize those websites and alerts to the potential victim's country.

Paul Wagenseil

Paul Wagenseil is a senior editor at Tom's Guide focused on security and privacy. He has also been a dishwasher, fry cook, long-haul driver, code monkey and video editor. He's been rooting around in the information-security space for more than 15 years at FoxNews.com, SecurityNewsDaily, TechNewsDaily and Tom's Guide, has presented talks at the ShmooCon, DerbyCon and BSides Las Vegas hacker conferences, shown up in random TV news spots and even moderated a panel discussion at the CEDIA home-technology conference. You can follow his rants on Twitter at @snd_wagenseil.