Hundreds of scam apps hit over 10 million Android devices

Google is taking more sophisticated steps to prevent malicious apps from being removed from Google Play. Google has taken new steps to keep malicious apps out of Google Play, but this is still a long-standing problem that could cost users hundreds of million of dollars.
According to Zimperium, the scamming campaign has been affecting Android since November 2020 according to researchers. The attackers were able sneak benign-looking apps such as "Handy Translator Pro," Heart Rate and Pulse Tracker, and Bus - Metrolis 2021 onto Google Play to disguise something worse. A victim would get five notifications per hour after downloading the malicious app. This prompt them to confirm their number in order to claim a prize. In-app browser was used to load the prize claim page. This is a common method of keeping malicious indicators from the code of the app. After entering their numbers, attackers charged a monthly fee of $42 via the premium SMS services feature on wireless bills. This is a way to pay for digital services, or send money via SMS message to charity. It went straight to the crooks in this instance.

These techniques are very common in malicious Play Store applications, and premium SMS fraud is a well-known issue. Researchers believe it is significant that attackers could still use these methods in an extremely effective way, even though Google continues to improve its Android security and Play Store defenses.


Richard Melick, Zimperium’s director of product strategy and end-point security, said that this is a remarkable feat of scale. They offered a wide range of techniques for all types; they are well-proven and refined. It's a carpet-bombing effect in terms of the number of apps. One may be successful and another might not, which is fine.

This operation was targeted at Android users in over 70 countries. It specifically checked IP addresses to determine their geographical regions. To make the experience more engaging, the app would display webpages in the primary language of that location. Security researchers can track malware operations more easily if URLs are not reused. The content that the attackers created was of high quality and did not contain typos or grammatical errors which could lead to more obvious scams.

Zimperium is part of Google's App Defence Alliance, which is a group of third-party companies that helps keep an eye on Play Store malware. The company also disclosed the GriftHorse Campaign as part of this collaboration. Google claims that all the apps Zimperium identified were removed from Google's Play Store, and the associated app developers have been banned.

Researchers point out that many of the apps, which have been downloaded hundreds of thousands of times, are still available via third-party app shops. The researchers also note that although premium SMS fraud is a well-known problem, it still works because malicious charges don't usually show up until the victim's next wireless bill. They can trick large corporations' employees into paying for charges that may go unnoticed for many years if they get their apps onto company devices.

Although it will slow down the GriftHorse campaign temporarily, researchers stress that new variations are always found.

These professional and organized attackers are well-organized. They created this business and aren't going to stop there, according to Shridhar Mittal (Zimperium CEO). This was definitely not a one-off event.

This story first appeared on