A fraudulent subscription campaign called Dark Herring has targeted over 100 million Android users worldwide. The campaign has been operating for almost two years. Dark Herring malware was discovered by a research team in Zimperium, who estimated the amount the campaign has been able to steal totals in the hundreds of millions. The campaign was first detected in March 2020 and ran actively.
The Zimperium analysts who identified Dark Herring said that the scamware is likely the work of a new group, which uses novel techniques and infrastructure.
About Dark Herring
The Dark Herring campaign caused losses worth hundreds of millions of dollars by abusing millions of devices via their 470 Google Play Store apps.
The apps subscribe users to premium services that charge $15 per month via Direct Carrier Billing (DCB). The operators of the Dark Herring campaign cashed out the subscriptions while users remained unaware of the infection and the fraudulent charges for a long time, sometimes several months. The names of some malicious apps are Smashex, Upgradem, Stream HD, Vidly Vibe, and Cast It. They pretended to be casual games, photography tools, utilities, and productivity apps.
Also read,
Millions of users at risk
So far, fraudulent applications have been installed by 105 million Android users in 70 countries. The countries with no DCB consumer protection laws, such as India, Finland, Saudi Arabia, Egypt, Greece, Sweden, Norway, Bulgaria, Iraq, Tunisia, and Pakistan, are at greater risk.
Mode of operation
The attackers have used a sophisticated infrastructure that received communications from all the users of 470 applications. However, handled separately based on a unique identifier.
The installed app does not come with any malicious code. It uses a hard-coded encrypted string that leads the users to a first-stage URL hosted on Amazon’s CloudFront. The response from the server includes links to other JavaScript files hosted on AWS instances and downloaded onto the compromised device.
These scripts are used to prepare application configuration concerning the victim, print unique identifiers, language, country information, and find out applicable DCB platforms in each case. Finally, the app displays a customized WebView page to urge the victim to input the phone number and supposedly receive a temporary OTP code to activate the account on the application.
Concluding notes
The Dark Herring campaign has been ongoing for almost two years and targeted millions of users, which indicates that sometimes downloading apps from genuine stores does not guarantee the safety of users. But one must be watchful of activities occurring in their bank accounts.
Source: https://cyware.com/news/millions-of-android-users-targeted-by-dark-herring-e9c63523.