Android users are falling prey to an active app subscription based fraud campaign involving a newly emerged Dark Herring malware...

Continue reading
Android users are falling prey to a long-running services subscription scam that has been active for the last two years dubbed as ‘Dark Herring.’ Zimperium zLabs discovered this Android malware found on the Play Store. ’ Dark Herring’ malware has maliciously infected over 470 android applications to target over 100 million users across the globe resulting in a mass loss of hundreds of millions of USD, with the earliest submission dating to March 2020.
Threat actors tricked 105 million users into opting for a monthly premium subscription costing $15 following the installation of such fraudulent android apps from Google Play Store-among-other-apps) through Direct Carrier Billing (DCB). As soon as the users realized they were prey to this ‘Dark Herring’ malware scam, threat actors cashed out all the subscription purchases way past several months after the infection.
Dark Herring has managed to stealthily remain active all this while without getting detected, mainly due to its unique attributes like AV anti-detection capabilities, code obfuscation, propagation through a large number of apps, and the use of proxies as first-stage URLs. Unlike other malware programs, which possess all the characteristics but not within a single piece of software, it can be too much for any online fraud relating to android.
Besides, unlike any other android malware, the operators behind Dark Herring adopted a different approach to receive communications from all the targeted users. The latter have installed any of the 470 android applications but handled each separately based on a unique identifier using a sophisticated infrastructure.
While all the infected android applications don't embed with any malicious code, rather, it features an encrypted string leading to a first-stage URL hosted on the CloudFront of Amazon. Following that, an additional JavaScript file hosted on AWS instances carrying the response from the servers downloaded onto the compromised device.

All the infected android applications are prepared with the malicious code in order to obtain the underlying configuration in accordance with the user to generate the unique identifiers, fetch the language and country details and determine which DCB platform is applicable in each case.
In the end, a customized WebView leads to inserting the victim's phone number that supposedly receives a temporary OTP code for activating the account on the application, enabling geo-targeting.
Thanks to the steady revenue stream, Dark Herring has become a well-funded malware operation due to its constant revenue flow._ “The evidence also points to a significant financial investment from the malicious actors in building and maintaining the infrastructure to keep this global scam operating at such a high pace,”_ mentioned in the Zimperium report.


With around 105 million victims spread covering a diversified demographic under various applications, entertainment remains especially popular amongst all. Moreover, due to the absence of DCB consumer protection laws in different targeted countries, it became way too easy for the Dark Herring operators to exploit users. Out of all that India, Pakistan, Saudi Arabia, Egypt, Greece, Finland, Sweden, Norway, Bulgaria, Iraq, and Tunisia, we're under red alert compared to other targeted countries.
Here is a list of a few highly exploited Dark Herring apps, each garnered with several million downloads, and the rest of the list can be accessed through below GitHub page:
-Smashed -Ultra Stream -Photograph Labs Pro -VideoProj Lab -Upgrade -Stream HD -Vidly Vibe -Cast It -My Translator Pro -New Mobile Games -StreamCast Pro -Drive Simulator -Speedy Cars – Final Lap -Football Legends -Football HERO 2021 -Grand Mafia Auto -Offroad Jeep Simulator -Smashex Pro -Racing City -Connectool -City Bus Simulator 2

A single ClickFix infrastructure is pushing StealC, Amatera, Remus, NetSupport, CastleLoader and a new loader called ResiLoader through fake Google/Cloudflare checks.