GriftHorse¶
GriftHorse is a premium SMS fraud trojan that infected over 10 million Android devices across 70+ countries between November 2020 and September 2021, generating estimated revenue in the hundreds of millions of euros. Discovered by Zimperium zLabs, the campaign stood out for its scale, geographic reach, and operational discipline: operators used geolocation-based targeting to serve country-specific premium service numbers, avoided hardcoded URLs, rotated domains, and built their apps with Apache Cordova to enable seamless silent updates.
Overview¶
| Attribute | Details |
|---|---|
| First Seen | November 2020 |
| Last Seen | September 2021 (Google Play removal) |
| Type | Premium SMS subscription fraud |
| Attribution | Unknown |
| Aliases | GriftHorse |
Origin and Lineage¶
GriftHorse has no known code lineage to other Android malware families. It was purpose-built for premium SMS enrollment at scale. The Zimperium zLabs team discovered the campaign through automated alerts from their z9 on-device detection engine. Forensic analysis placed the campaign's start date at November 2020, meaning it operated undetected for approximately 10 months before public disclosure.
The operators showed significant investment in infrastructure and distribution. Over 200 trojanized apps were submitted to Google Play and third-party stores, each functional enough to accumulate downloads without raising review flags. The campaign's financial model was straightforward: subscribe victims to premium SMS services charging approximately 36 euros per month, charged directly to their phone bill.
Distribution¶
GriftHorse used two distribution channels:
| Channel | Details |
|---|---|
| Google Play | 200+ trojanized apps across multiple categories |
| Third-party stores | Same apps distributed through alternative app markets |
App Categories¶
The trojanized apps spanned a wide range of categories to maximize installs:
| Category | Examples |
|---|---|
| Tools/Utilities | File managers, compasses, GPS tools |
| Entertainment | Horoscope apps, wallpapers |
| Dating | Chat and dating simulation apps |
| Music | Ringtone and audio apps |
| Games | Casual puzzle and arcade games |
| Productivity | Translators, calculators |
| Communication | Call recorders, messaging |
The apps were functional. Users received a working utility while the fraud operated silently. This dual-purpose design kept ratings positive and avoided mass uninstalls that would trigger Play Store review.
Capabilities¶
Fraud Flow¶
| Step | Action |
|---|---|
| 1 | User installs trojanized app from Google Play or third-party store |
| 2 | App begins displaying pop-up alerts claiming the user has won a prize |
| 3 | Pop-ups repeat at minimum 5 times per hour until the user interacts |
| 4 | User taps alert, app collects device IP for geolocation |
| 5 | Based on IP geolocation, app serves a country-specific premium service page |
| 6 | Page prompts user to enter phone number for "verification" |
| 7 | Submitted phone number is enrolled in a premium SMS service (~36 EUR/month) |
| 8 | Charges appear on victim's phone bill |
The social engineering relied on persistence rather than sophistication. The pop-ups were intentionally aggressive, appearing repeatedly until the user engaged, betting that a fraction of annoyed users would follow through.
Geolocation Targeting¶
GriftHorse's operators served different premium service numbers based on the victim's IP-derived country. This meant:
- Each country received premium numbers that actually worked with local carriers
- No single premium service number appeared across all regions, complicating detection
- The payload URL was not hardcoded but dynamically served, so static analysis of the APK revealed nothing malicious
Technical Details¶
Framework¶
GriftHorse apps were built with Apache Cordova, a cross-platform mobile development framework that wraps web technologies (HTML5, CSS3, JavaScript) in a native container. See Cordova / Ionic / Capacitor for the reverse engineering methodology. The choice of Cordova provided several operational advantages:
| Advantage | Details |
|---|---|
| Cross-platform | Same codebase runs on Android (and could be adapted for iOS) |
| Silent updates | Cordova's web layer can be updated without pushing an app store update |
| Rapid development | Web technologies allow fast iteration across 200+ app variants |
| InAppBrowser | Cordova's InAppBrowser plugin opens subscription pages within the app context |
C2 Architecture¶
| Component | Details |
|---|---|
| Stage 1 | App contains encrypted C2 URL in its assets |
| Decryption | AES decryption to recover stage-2 C2 URL |
| Stage 2 | GET request to stage-2 URL retrieves the premium service page URL |
| Serving | Premium page URL is country-specific, resolved via IP geolocation |
| Display | Page opened in Cordova's InAppBrowser |
The operators avoided hardcoding any premium service URLs in the APK. The two-stage C2 retrieval with AES encryption and IP-based filtering meant the malicious behavior was invisible to static analysis and only triggered for users in targeted regions.
Domain Infrastructure¶
Operators rotated domains frequently and avoided reusing domains across campaigns. No single domain appeared in multiple app variants, which made domain-based blocklisting ineffective as a broad countermeasure. The IP-based geolocation filtering also meant security researchers in non-targeted countries would receive benign responses from the C2.
Evasion¶
| Technique | Purpose |
|---|---|
| AES-encrypted C2 URL | Prevents static extraction of server addresses |
| IP geolocation filtering | Non-targeted regions receive no malicious payload |
| Domain rotation | No persistent indicators for blocklist-based detection |
| Cordova framework | Malicious logic lives in the web layer, not in Dalvik bytecode |
| Functional apps | Positive reviews and high ratings reduce suspicion |
| No SEND_SMS permission | Fraud is web-based, not through SMS API; no suspicious permissions in manifest |
Target Regions¶
GriftHorse targeted over 70 countries. The geolocation-based serving model meant any country with carrier-billed premium SMS services was a potential target.
| Region | Selected Countries |
|---|---|
| Europe | UK, Germany, France, Spain, Italy, Greece, Poland, Norway, Sweden, Finland |
| Asia | India, China, Thailand, Malaysia, Indonesia, Saudi Arabia, UAE |
| Americas | US, Brazil, Canada, Argentina |
| Africa | South Africa, Nigeria, Egypt, Kenya |
| Oceania | Australia, New Zealand |
The campaign's profitability depended on local carrier billing infrastructure. Countries where phone bill charges for premium services are common and difficult to reverse were prioritized.
Notable Campaigns¶
2020, November: GriftHorse campaign begins. Trojanized apps start appearing on Google Play and third-party stores. The operation runs silently, accumulating installs across multiple app categories and regions.
2021, ongoing: The campaign scales to 200+ apps and 10M+ infected devices globally. Estimated revenue reaches hundreds of millions of euros at ~36 EUR per victim per month. The aggressive pop-up social engineering drives a steady conversion rate across targeted populations.
2021, September: Zimperium zLabs publishes their discovery, revealing the full scope: 10M+ victims, 70+ countries, 200+ apps. Google verifies the findings and removes all identified apps from the Play Store. Coverage by Threatpost, Dark Reading, The Record, and Malwarebytes follows.
2021, post-disclosure: While removed from Google Play, the apps remained available on third-party app stores. Victims already enrolled in premium services continued to be charged until they manually contacted their carrier to cancel. No arrests or infrastructure seizures have been publicly reported. Kaspersky's subscription trojan comparison documented GriftHorse's subscription mechanics alongside Joker, MobOk, and Vesub.