Zimperium research team discovered Dark Herring Malware; The team’s report stated that over one hundred million Android users downloaded and installed the applications from the google play store and other app stores. Dark Herring Malware used four hundred and seventy applications to target users in different countries. A matching case reported by Zimperium research victimized over ten million people worldwide.
During the Dark Herring movement, which was going on from March 2020, the subscribers to the application were to be charged $ 15 for a monthly premium, generating a lot of money continuously, leading to a loss of hundreds of millions caused by the scammers. The campaign continued for a long time because the users had high expectations from the applications provided by this group, allowing them to remain signed in on the user’s devices.
When a user installed the scammer app on their device, the dark herring application would start communicating with the command and control server to dispatch the user’s Url, which the scammers later used to force direct carrier billing subscription to the user. The next step that the Dark herring would take is to make the app user go to a specific webpage forcing them to provide their number for confirmation purposes. Unfortunately, the users did not know they were unknowingly subscribing to the app’s premium service by submitting their number.
Zimperium said the app users would not be aware that the scammers had stolen their money, and also, there was a high chance of the user not noticing the robbery for months. When the user detects the theft, it would be too late to get their money back.
In March 2020 and November 2021, the four hundred and seventy applications were issued to the google play store, but google play store removed them later on their site. Nonetheless, it is paramount to note that the apps are still available through other app stores.
Zimperium also stated that Dark Herring had built the proper foundation to deal with reports from different applications with distinctive identifiers handling the applications efficiently. When the user installed the scammer app on their phones, the application would load into web view and later be held on CloudFront, after JavaScript files links on AWS would give feedback to the request. The Zimperium research team also noted that only a few people in chosen countries are subscribed to the phone carrier bill.
According to Zimperium’s notes on Dark Herring, there had to be a substantial investment made to develop the infrastructure to keep the campaign operational. Also, Dark Herring could stay hidden for a long time because they used sophisticated malware, used a few layers for anti-detection, and used code obfuscation. The other tactic that the scammers used to triumph is the geo-target to deliver the application in the native language. The Derrin team spread the scam across four hundred and seventy apps. Still, it worked differently for each one of the apps.
The researchers also noted that the apps did not have any spiteful code implanted on them. They instead had an encrypted string, which would lead the user to a webpage view page hosted on an Amazon Cloud front server. While the page asked users to confirm their login by entering their phone numbers, Dark herring was working behind the scenes to find out the users’ language and country and which Direct carrier billing it would hook onto.
The intel collected by the Zimperium Labs team estimated that Dark Herring had set out to infect more than one hundred and five million devices since March 2020. The apps that were used by the Dark herrings were photo editors, games, and effective applications. Still, due to the nature of Direct Carrier billing, some countries were protected by consumer protection set in place by telcos. Countries like India, Pakistan, Finland, and Sweden were the most targeted because they had less stringent consumer protections for telecommunication users.