A sophisticated Android based malware ring has stolen hundreds of millions of pounds from 10 million victims according to a new report. This Grifthorse trojan malware was used in over 200 Android apps available in the Google Play store.

Details of the malware campaign are explained in a report from Zimperium Labs.

According to the researchers, the campaign affected millions of users from 70 different countries – serving malicious web pages in the local language by geo-locating the device based on its IP address.

After installing one of the 200 different trojan apps, users were first nagged with push notifications claiming they had won a prize 5 times per hour until they clicked the notification – probably in exasperation to make the alerts stop.  Next the victim was taken to a local language web page and asked to enter their phone number for ‘verification’ of the prize – while in reality the app then subscribed that phone number to a premium rate SMS service which then typically charged the victim’s mobile phone €30 per month until they spotted the charges and cancelled them with their phone company.

The scale and complexity of the operation is eye-opening:

• 200 Trojan apps created and successfully submitted to Google Play
• 10 million application downloads since November 2020
• Victims in 70 countries with local language customisations
• Variety of apps from: tools, to health trackers, games to productivity. The most popular with over half a million installs was Handy Translator Pro.

Google has now removed all the affected apps from the Google Play store, however Zimperium advises that many of the apps are still available in third party app stores.

Network Admins can help protect their fleet of Android devices from these trojan apps by disabling the ability to side-load apps and restricting the device to only install apps from Google Play.

A full list of the malicious apps, and the URL used by their command and control servers is listed in the report.