A Dark Herring Android fleeceware campaign discovered a few years ago may have heisted over hundreds of million dollars from Android phone users worldwide who downloaded the malicious applications brought by a malicious campaign.
Researchers explained that the offered Android application of Dark Herring had worked perfectly as to what the threat actors endorsed it. Android users were the perfect target of these malicious apps since it is available on Google Play Store. Dark Herring’s apps come in different genres such as productivity tools, image and photo filters, entertainment, and games.
Little do the Android users know, these malicious apps also redirect them to compromised web pages that the threat actors design to deceive them. The hackers programmed these web pages to show texts that correspond to the native language of the user.
Based on the reports, the compromised sites instruct the unaware users to input their phone numbers for verification, but this “verification” method will sign up the target to a subscription that will charge them about 15% every month.
The Dark Herring campaign exploits a standard feature for payment across the world.
Dark Herring works by exploiting a common payment feature called “direct carrier billing.” This feature is common in most countries globally since phone users can purchase digital services or physical items via smartphones or other devices.
Hence, the functionality of direct carrier billing is identical to Google Pay or Apple Pay except for the charges being shown on the user’s phone bill instead of an email account.
An interesting aspect of the Dark Herring campaign is that the threat actors are not greedy if they have successfully infiltrated their target’s system since they do not immediately clear out the user’s cash. Instead, they take extra recurring charges that slowly milk their targets’ bank balance to avoid getting noticed quickly.
Furthermore, Dark Herring’s apps are working as designed, so users who download their applications will not suspect anything. The campaign also bets on the users to forget the malicious apps installed in their devices to prolong the subscription duration in the mobile device.
Dark Herring’s campaign to deploy malicious apps on the Google Play Store is very sophisticated yet dangerous to users. The apps themselves will not compromise the phone and do not include any malicious code evident to many users. It is also why Android AV solutions did not flag any of Dark Herring’s apps because they function as legal and harmful applications.
Instead, Dark Herring’s apps download additional scripts that confirm the phone’s language and location. The threat actors will upload the language information regarding the users’ phones to their C2 server to deceive the target.
If the C2 server’s verdict con the target, the app will introduce a malicious website corresponding to the target’s language and country. After redirecting the user to their malicious website, they will be asked to complete the registration to verify their subscription, as mentioned earlier.
The confirmed victims of Dark Herring are present in over 70 countries worldwide, including nations in every continent such as Oceania, Asia, Europe, and North America.
