“Grifthorse” has already victimized 10 million people worldwide.

Security researchers have found a massive malware operation that has infected more than 10 million Android smartphones across more than 70 countries since at least November 2020 and is making millions of dollars for its operators on a monthly basis.

Researchers at mobile security company Zimperium discovered and detailed the malware this week. They found the malware, which they named “GriftHorse,” more than 200 malicious applications.

These malicious Android applications appear harmless in the store description and in the permissions they request. But this false sense of confidence changes when users start paying month over month for the premium service they subscribed to without their knowledge and consent.

Users tricked into subscribing to premium SMS plans

The mobile applications pose a threat to all Android devices by functioning as a Trojan that subscribes unsuspecting users to paid services, charging a premium amounting to around 36 Euros per month.

The Zimperium zLabs researchers discovered this global premium services Trojan campaign through a rise in specific alerts from their z9 on-device malware detection engine. The engine detected and reported the true nature of these malicious Android applications.

The researchers found that the cybercriminals took great care to avoid detection. They avoided using hardcoded URLs or reusing the same domains and filtering or serving the malicious payload based on the originating IP address location. That allowed the attackers to target different countries in different ways.

Zimperium found that the malicious applications propagated through both Google Play and third-party application stores. They reported the findings to Google, who verified the provided information and removed the malicious applications from the Google Play store. However, the malicious applications are still available on unsecured third-party app repositories, highlighting the risk of sideloading applications to mobile endpoints and user data and needing advanced on-device security.