Social Engineeringmedium

GriftHorse: 10 Million Android Users Billed Via Premium SMS Subscription Scam

A criminal operation distributed 200 malicious Android apps through the Google Play Store and third-party markets. Each app tricked users into subscribing to premium SMS services at €30–40 per month. 10 million victims in 70 countries.

Google Play / Mobile Carriers·2021·2 min read

Background

Premium SMS subscription fraud has existed since the mid-2000s but GriftHorse represented a significant evolution: professional-quality apps, massive scale, and a monthly recurring billing model that meant each victim generated ongoing revenue. Victims often did not notice the charges for months.

The Attack

GriftHorse apps were designed to look like useful tools — games, utilities, VPN apps — and offered genuinely functional basic features to avoid suspicion. When a user opened the app, it displayed a notification claiming the user had won a prize. Clicking through produced a series of screens including a phone number entry form. The fine print buried in the interface explained that the entered number would be subscribed to a premium SMS service. Many users did not read the fine print or understand what they were agreeing to. Monthly charges of €30–40 appeared on phone bills under innocuous names.

Response

Zimperium researchers discovered the campaign in 2021 after noticing unusual SMS activity patterns. Google removed all 200+ apps from the Play Store. Mobile network operators were alerted to the premium number scheme. Refund processes were difficult — many victims had been billed for months before discovery.

Outcome

10 million victims across 70 countries were billed an estimated €30–40 per month each. Potential revenue to the operators was in the hundreds of millions of euros annually. The scale of the operation demonstrated that mobile fraud at this scale could operate for years under regulators' radar.

Key Takeaways

  1. Review your mobile phone bill monthly — unexpected premium SMS charges are a common fraud indicator
  2. Only install Android apps from reputable developers with reviews — app store presence does not guarantee safety
  3. Check app permissions before installing — apps that request SMS permissions without obvious need are suspicious
  4. Mobile operators must improve detection of premium SMS subscription fraud patterns
premium SMSmobile fraudAndroidsubscription scamGriftHorse

More in Social Engineering

2020high

The Twitter Bitcoin Hack

2 min readSocial Engineering
2023critical

MGM Resorts Social Engineering Attack

2 min readSocial Engineering
2022critical

Lapsus$: Teenagers Bribe Telecom Employees to Breach Microsoft, Nvidia, and Uber

2 min readSocial Engineering