Researchers discovered a new malware, called Dark Herring, that went undetected for a very long time, charging unsuspected users money. All of the applications appeared, safe, legit, and verified, and they were widely available on Google Play Store and other third-party App Stores. The malware campaign found up to 105 million victims globally, and it's one of the biggest scams in mobile history.
Researchers from Zimperium zLabs discovered a new “premium service abuse campaign with upwards of 105 million victims globally”, and the malware that caused the problems was named “Dark Herring”. The total stolen money that was scammed out of unsuspected users could be well into the hundreds of millions of dollars, but it’s hard to tell what the exact amount may be.
Seemingly, totally normal and harmless applications were added to the Google Play Store, all of which looked like normal apps. Their descriptions and permission requests didn’t raise alarms as they seemed genuine. Things started to change when users started to notice a few months later that they kept getting charged via direct carrier billing.
For those unaware, Direct Carrier Billing (DCB) is a mobile payment method that allows users to make purchases made to their phones bills, using their phone numbers. These apps targeted millions of users globally, and it was available in over 70 countries. Dark Herring charged, on average, $15 every month. The amount was often too little to immediately notice, and many users went on for months without noticing an issue. There were a total of 470 applications uploaded to the Google Play Store infected with Dark Herring. You can see the full list of applications here.
The researcher team established that the Dark Herring Android Scamware campaign was one of the most successful campaigns ever and ran the longest. Researchers revealed the date of publication of the apps, which dates back to March 2020. “Dark Herring is the longest-running mobile SMS scam discovered by the Zimperium zLabs team.”
How did Dark Herring work?
When a user downloaded and installed one of these Dark Herring infected apps, they appeared to function normally, without triggering any alarms with either the user or their devices. Soon, the user was redirected to a geo-specific webpage where they were asked to enter their phone number to verify themselves. Unfortunately, many users are often more prone to provide phone numbers to unknown people and services. This resulted in people getting charged, often for months, without noticing a change to their billing information.
Zimperium provided even more detail, revealing how the scam worked. If you want to read more about the technicalities, you can read the full article on their website.