Skip to content

‘Grifthorse’ Android malware runs over 10 million victims using 200+ apps

  • by
  • 3 min read

Security researchers Aazim Yaswant and Nipun Gupta at mobile security firm Zimperium have discovered a new malware called GriftHorse was distributed using malicious apps on the Google Play Store and third-party app stores. The malware has been active since November 2020 and has infected over 10 million Android devices across at least 70 countries. 

Once any such infected apps are installed, the user gets spammed with popups and notifications offering various prizes and offers. Once users tap these notifications, they’re taken to a page to confirm their phone number under the pretext of availing the offer.

Instead, the users get duped into subscribing to a premium SMS service that charges $35 monthly. This money gets sent to the attackers instead. The researchers who discovered the malware describe it as “one of the most widespread campaigns the zLabs threat research team has witnessed in 2021.”

In the News: Games are coming to Netflix subscriptions soon

Anotther novel virus

Based on the researchers’ findings, the malware operators are making anything from $1.5 to $4 million per month. The malware’s coders heavily invested in their code quality as well, using several different attack vectors, including numerous websites, apps and developer personas to infect as many people as possible while avoiding detection.

A map showing all infected countries | Source: Zimperium

According to Yaswant and Gupta, “the level of sophistication, use of novel techniques, and determination displayed by the threat actors allowed them to stay undetected for several months.”

Not only the malware was propagated using a large number of apps. Over 200 to be precise, these apps were also divided across numerous categories on the Play Store to widen the range of victims further. Some of these apps have over a million downloads.

Some of the most popular apps include Handy Translator Pro, Heart Rate and Pulse Tracker, Geospot: GPS Location Tracker, iCare – Find Location, My Chat Translator and Bus — Metrolis 2021. All these apps have a minimum of 100,000 downloads. You can check out the complete app list here.

Screenshots of the fake notifications and phone number verification screens | Source: Zimperium

These apps were last updated in April 2021. Considering the scam started in November 2020, the first victims have been scammed of over $230 by now. Considering the overall number of victims is over 10 million at the moment, the overall profit to the scammers is huge

Zimperium reported that it had contacted Google about the concerned infected apps, and all 200 of them have been removed from the Play Store. 

In the News: Telegram bots can now steal your one-time passwords

Yadullah Abidi

Yadullah Abidi

Yadullah is a Computer Science graduate who writes/edits/shoots/codes all things cybersecurity, gaming, and tech hardware. When he's not, he streams himself racing virtual cars. He's been writing and reporting on tech and cybersecurity with websites like Candid.Technology and MakeUseOf since 2018. You can contact him here: