GriftHorse

Malware

⚠️ Overview

GriftHorse is a premium SMS scam trojan targeting Android devices, first discovered by Zimperium's zLabs in September 2021. It is operated by an unknown threat actor and categorized as a mobile financial stealer that subscribes victims to premium SMS services without their knowledge.

🔧 Technical Capabilities

GriftHorse propagates through trojanized applications distributed via official Google Play Store and third-party app stores, often disguised as utility tools, entertainment apps, or health trackers. Once installed, the malware silently subscribes the victim to expensive premium SMS services by intercepting and hiding SMS confirmation codes from the mobile carrier, using Android's notification listener or accessibility services. C2 infrastructure consists of multiple domains and IP addresses that deliver premium-rate phone numbers and subscription instructions. Persistence is achieved through auto-start permissions and background services that re-initiate subscriptions if detection is attempted. Evasion techniques include encryption of configuration strings, dynamic loading of malicious payloads from C2 servers, and obfuscated code that avoids static analysis. Zimperium's report (October 2021) notes that the malware exfiltrates device information (IMEI, IMSI, phone number, network operator) to C2 before initiating subscriptions.

📜 History & Notable Incidents

GriftHorse first appeared in early 2021, with the most prominent campaign occurring between September 2021 and early 2022, where over 200 trojanized apps were identified on Google Play with more than 10 million total installs. Victims spanned 70+ countries, with notable high infection rates in India, Russia, Mexico, and the United States. No specific CVEs are associated as the malware relies on abuse of legitimate Android permissions rather than exploits. No law enforcement takedowns have been publicly reported.

🔍 Detection Indicators

Behavioral signatures include unexpected premium SMS charges appearing on phone bills and device logs showing connections to suspicious domains such as api.grift[.]pro and cd.grift[.]info (identified by Zimperium). Network IOCs include HTTP POST requests to C2 endpoints containing encrypted device data. No static hashes are widely published due to rapid app versioning, but the presence of apps requesting SEND_SMS, RECEIVE_SMS, READ_SMS, and BIND_ACCESSIBILITY_SERVICE permissions without a clear need is a strong indicator.

☠️ Risk & Impact

Primary damage is financial: each subscription charges between 0.30 to 15 EUR per message, resulting in cumulative losses estimated at millions of Euros globally. Affected sectors include individual consumers across all demographics, with mobile carriers also impacted by associated fraud losses. No evidence of data theft beyond device identifiers and phone numbers has been reported.

🛡️ Mitigation

Users should avoid installing apps from untrusted sources and review app permissions carefully, particularly for SMS and accessibility service access. Enterprises can deploy mobile threat defense (MTD) solutions such as Zimperium's zIPS, which includes detection rules for GriftHorse based on behavioral patterns and network IOCs. Regular audits of mobile device bills for unexplained premium SMS charges are also recommended.

🛡️

Protect Your Server from Malware-Associated Bot Traffic

Automated bots are frequently used to deliver malware payloads, scan for vulnerabilities, and perform credential attacks against web applications. Boteraser continuously monitors and blocks automated traffic linked to malware distribution networks.

✅ Start Free Protection

Setup takes under a minute  ·  Free trial available

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.