After fraudsters stole millions of euros from Android users, the next Google glitch follows. The two-year “Dark Herring” campaign has killed more than 100 million users.
Google is unable to get a grip on malware attacks that reach smartphones via seemingly harmless apps from the Play Store. Cyber criminals are investing more and more money in large-scale fraud campaigns, which often last for several years. Currently, almost 470 malware-infected apps are still in circulation.
Malware apps charge money to the phone bill
Only recently, the security company “Zimperium” uncovered the “GriftHorse” Trojan campaign, which TECHBOOK also reported on. While searching for more scams of this type, the researchers found other malware-infested apps. The campaign, dubbed Dark Herring, has been running for almost two years and has reached more than 100 million Android users. Like “GriftHorse” before it, “Dark Herring” is a play on words – but this time from the phrase “red herring”. Literally translated, this means “red herring”, but in a figurative sense it stands for a deceptive manoeuvre.
The “Dark Herring” campaign uses the same strategy that has worked in apps with “GriftHorse” malware. It makes use of Direct Carrier Billing (DCB) technology – a payment method that allows users to pay by phone bill. DCB is most common in countries where credit cards are not widely used.
After installing one of these apps, users get several notifications per hour. Accordingly, they should confirm their phone number to win a prize. Instead, however, the hackers register the number for an SMS service, for which 30-40 euros are deducted from the telephone bill each month. The “Dark Herring” apps contain hidden code that automatically subscribes to “premium services” that cost $15. Users often only find out several months later that their telephone bill was charged with this amount.
Also Read: Are You Getting Weird Package Delivery Text Messages Lately?
Dark Herring campaign in more than 70 countries
Although “Dark Herring” uses similar means as the “GriftHorse” attacks, “Zimperium” has found that they are different campaigns. “Dark Herring” apps have a different code base and are even more successful in spreading to users. The security researchers emphasize that the apps are not just cheap copies of each other. Rather, the cyber criminals would have invested a lot of money to release working apps across a wide range of categories. The sheer size of the campaign alone, with almost 470 apps, makes it difficult for Google’s Play Store security measures to detect hidden malicious code in each one.
According to Zimperium, the “Dark Herring” campaign has reached users in more than 70 countries. The apps are installed on more than 105 million smartphones. Some of them have been downloaded up to five million times. They can recognize the respective country based on the IP address of the user and display content in the appropriate language. In combination with the fact that the apps actually work, users can hardly notice that it is malware.
Google has now deleted all affected apps from the Play Store. However, they remain installed on the smartphone and can continue to cause damage. They can also still be found in third-party app stores and online databases. TECHBOOK therefore advises deleting the apps from the smartphone immediately and not installing them from other sources. For the complete list of malware-infected apps, visit the GitHub page to Dark Herring.