Understanding the SMS Subscription Malware - Grifthorse

PCMag recent reported a new type of SMS Subscription Malware called Grifthorse which is an interesting model of malware that researches discovered within the Android store.  The operation of this kind of phone based malware works by creating apps on the Google store and compromising individual phones with subscription services that charge upwards of $35 USD a month.  Early indications are that it affected somewhere in the vicinity of 10 million Android Phone users prior to discovery, so here's what we know:

  • There are over 200 apps that are associated with this malware, through all kinds of Apps - such as lifestyle, finance, dating, and Entertainment.
  • Some of these Apps have been in the Android / Google Play Storesince November 2020.
  • Early estimates conclude at least $4 million USD a month from this hack has been stolen, with upwards of hundreds of millions if the attack has remained undetected since November 2020.
  • These Apps are removed now, after researched presented the data to Google.

So what can we really learn from this?

These Apps worked by operating under a "once installed, harass user" model.  They forced pop ups and interrupted phone users constantly and directed them to websites where they could confirm their SMS number in order to "redeem" the offers that were being presented via the pop ups, which would sign them up for the $35 USD a month "service".  This was the core method of forcing users to interact.

Malware authors focused on improving their code and delivery mediums through-out this process.  The hackers focused on disseminating their code across as many different websites and mediums as possible in order to encourage the number of infected users.  A full list of infected applications can be found here on Zimperium's blog.


How do you remain safe from these kinds of attacks?  Simply put, zero trust security practices.  As discussed in previous blogs, the zero trust security model is based on the idea that every single application on a device such as your mobile is presumed untrustworthy, until proven otherwise.  Using this practice, it would create a "trust but verify" process before installing new applications, and that would allow time to verify that a malicious application is not installed.  And if a malicious application is installed, it would be a simple process to review which applications were most recently installed - remove them - or restore to a point prior to that application's installation.

Ultimately, as attackers get more sophisticated - it is important to maintain vigilance in security practices.  This is far from a new issue, these kinds of "drive by subscribe" malware have come up before, this is just a newer way of executing on that model.  Practicing good security - focusing on methodology, and finally creating processes that allow for quick resolution post infection will provide the greatest value.