A fraudulent subscription campaign, called Dark Herring, has targeted over 100 million Android users around the world. The campaign has been operating for almost two years. The earliest malicious app laden with Dark Herring was submitted in March 2020.

Diving into Dark Herring

The Dark Herring campaign caused losses worth hundreds of millions of dollars by abusing millions of devices via their 470 Google Play Store apps.
  • The apps subscribe users to premium services that charge $15 per month via Direct Carrier Billing (DCB).
  • The operators of the Dark Herring campaign cashed out the subscriptions while users remained unaware of the infection and the fraudulent charges for a long time, sometimes several months.
  • The names of some malicious apps are Smashex, Upgradem, Stream HD, Vidly Vibe, and Cast It. They pretended to be casual games, photography tools, utilities, and productivity apps.

Millions at risk

  • So far, the fraudulent apps have been installed by 105 million users in 70 countries. 
  • The countries with no DCB consumer protection laws such as India, Finland, Saudi Arabia, Egypt, Greece, Sweden, Norway, Bulgaria, Iraq, Tunisia, and Pakistan are at greater risk.

Modus operandi

The attackers have used a sophisticated infrastructure that received communications from all the users of 470 applications. However, they were handled separately based on a unique identifier.
  • The installed app does not come with any malicious code. It uses a hard-coded encrypted string that leads the users to a first-stage URL hosted on Amazon's CloudFront.
  • The response from the server includes links to other JavaScript files hosted on AWS instances. These files are downloaded onto the compromised device.
  • These scripts are used to prepare apps’ configuration in relation to the victim, print unique identifiers, fetch languages, country information, and find out applicable DCB platforms in each case.
  • Finally, the app displays a customized WebView page to urge the victim to input the phone number, and supposedly receive a temporary OTP code to activate the account on the application.

Concluding notes

The Dark Herring campaign has been ongoing for almost two years and has targeted millions of users already. This indicates that sometimes downloading apps from genuine stores does not guarantee the safety of users. But, one must be watchful of activities occurring in their banking accounts.

Cyware Publisher

Publisher

Cyware