Connect with us

Hi, what are you looking for?


105 million Android users targeted by subscription fraud campaign

Android headpic red

'Dark Herring' premium service fraud impacts 105 million Android users

A premium services subscription scam for Android has been operating for close to two years. Called ‘Dark Herring’, the operation used 470 Google Play Store apps and affected over 100 million users worldwide, potentially causing hundreds of millions of USD in total losses.

‘Dark Herring’ was present in 470 applications on the Google Play Store, Android’s official and most trustworthy source of apps, with the earliest submission dating to March 2020.

In total, the fraudulent apps were installed by 105 million users in 70 countries, subscribing them to premium services that charged $15 per month through Direct Carrier Billing (DCB).

DCB is a mobile payment option that lets people purchase digital content from the Play Store, charging it to their prepaid balance or postpaid bill.

The operators of ‘Dark Herring’ cashed the subscriptions while users realized the fraudulent charges much later, sometimes several months after the infection.

The discovery of ‘Dark Herring’ comes from Zimperium zLabs, a Google partner and member of the Google App Defense Alliance, whose goal is to tackle the malware problem on the Play Store.

How the malware works

The long-term success of the Dark Herring relied on AV anti-detection capabilities, propagation through a large number of apps, code obfuscation, and the use of proxies as first-stage URLs.

Advertisement. Scroll to continue reading.

While none of the above is new or groundbreaking, seeing them combined into a single piece of software is rare for Android fraud.

Moreover, the actors used a sophisticated infrastructure that received communications from all users of the 470 applications but handled each separately based on a unique identifier.

The installed app doesn’t contain any malicious code but features a hard-coded encrypted string that points to a first-stage URL hosted on Amazon’s CloudFront.

The response from the server contains links to additional JavaScript files hosted on AWS instances, which are downloaded onto the infected device.

Response from the first-stage URL
Response from the first-stage URL
Source: Zimperium

These scripts prepare the app to acquire its configuration in relation to the victim, generate the unique identifiers, fetch the language and country details and determine which DCB platform is applicable in each case.

Finally, the app serves a customized WebView page that prompts the victim to enter their phone number, supposedly receive a temporary OTP (one-time passcode) code to activate the account on the application.

Requesting the victim's phone number via a customized page
Requesting the victim’s phone number via a customized page
Source: Zimperium

Apps and targets

With 470 applications to distribute the malware, the targeted demographics was quite diverse. Most of these apps fell in the broader and more popular “Entertainment” category.

Other prevalent Dark Herring apps were photography tools, casual games, utilities, and productivity apps.

One key factor in the consequences of the Dark Herring operation is the absence of DCB consumer protection laws, so some countries were targeted more zestfully than others.

Those at greater risk were India, Pakistan, Saudi Arabia, Egypt, Greece, Finland, Sweden, Norway, Bulgaria, Iraq, and Tunisia.

Victimization likelihood heatmap
Victimization likelihood heatmap
Source: Zimperium

Even in countries where strict DCB protection rules apply, if the victims are late to realize the fraud, reverting the transactions may be impossible.

The most popular Dark Herring apps that each counts several million downloads are:

Advertisement. Scroll to continue reading.
  • Smashex
  • Upgradem
  • Stream HD
  • Vidly Vibe
  • Cast It
  • My Translator Pro
  • New Mobile Games
  • StreamCast Pro
  • Ultra Stream
  • Photograph Labs Pro
  • VideoProj Lab
  • Drive Simulator
  • Speedy Cars – Final Lap
  • Football Legends
  • Football HERO 2021
  • Grand Mafia Auto
  • Offroad Jeep Simulator
  • Smashex Pro
  • Racing City
  • Connectool
  • City Bus Simulator 2

To access the entire list of all 470 malicious Android applications, check out this GitHub page.

Source link

Click to comment

Leave a Reply


Top Stories

The fall of Terra (LUNA) shook the entire crypto market. However, the project has no plans to stay down as the project secured backing...

Loan And Finance

Online dance music retailer Beatport has acquired the music discovery portal LabelRadar. LabelRadar is a platform that introduces artists and their music to labels,...

Loan And Finance

It is reported the recent rise of private companies stems from higher demand for dog- and cat-specific insurance. As such, pet owners who want...


In brief: Sony’s embracing of the PC platform reaped rewards to the tune of $80 million during the last fiscal year, but that’s nothing...

Online Business Success

Marketers have been touting the fact that content is king on repeat for a decade now. But just because content can have value doesn’t...

Loan And Finance

Hipgnosis Song Management has – using cash from its Blackstone-backed private fund – acquired the song catalog of superstar artist and songwriter Justin Timberlake....


You May Also Like


Introductions get a lot of attention. I’ve explored the topic of how to write them even though as a reader, I always skip them....

SEO Guide

There are all kinds of pictures of the world on the internet, but to find one of these specific pictures that you want to...

Online Business Success

The internet is now our nervous system. We are constantly streaming and buying and watching and liking, our brains locked into the global information...

Online Business Success

You can think of link building in many ways. I like to call it tedious, painful, and a test of patience. It’s also necessary...