Dark Herring Malware targeted over 105 million Android users, siphoned tons of cash
A sophisticated new malware, dubbed Dark Herring, was discovered by mobile device security experts at Zimperium zLabs. The code aims to trick users to subscribe for a faux service and pay $15 through Direct Carrier Billing. According to the report, 105 million users were tricked into signing up for that subscription.
The problem with Direct Carrier Billing is that you only find out you paid the $15 when your monthly bill comes around. So, victims were rarely able to react on time, and the scammers walked away with quite a bit of money with the report saying that they were able to cash out months after the initial infection. Supposedly, they could've sucked up hundreds of millions of dollars before closing up shop.
How was Dark Herring able to stay hidden so long? Researchers note that it's a very sophisticated malware, using a few layers of anti-detection and code obfuscation, and even though it was spread across 470 apps, it worked slightly differently in each one.
The apps themselves didn't have malicious code embedded in them. Rather, they had an encrypted string, which would lead the user out to a WebView page hosted on an Amazon CloudFront server. While the page asked the user to confirm their login by entering their phone number, Dark Herring was working in the background to determine country, language, and which Direct Carrier Billing it should latch onto.
So, while the bad actors behind Dark Herring did walk away with a lot of cash, the way this was all set up also shows a ton of preliminary investing and infrastructure planning. In other words, this is a well-funded operation, probably working on the next piece of malware right now.
The apps that were infected by Dark Herring are generally innocent games or photo editors and effect applications. You can check out the full list of affected apps here.
How can we protect ourselves against this type of malware?
As noted, Dark Herring was quite adept at avoiding antivirus apps. However, it does ask the user to go beyond what's reasonable to create a new account for an app.
For example — if you download Offroad Jeep Simulator and the game tells you it needs your phone number for you to keep playing, that's a sure sign that you should delete it immediately.
And while we are sure our PhoneArena readers are quite aware of this, maybe it's a good time to remind ourselves that there are those around us that are not so savvy. Kids can be especially naive and if pretty screenshots entice them to try a game, they may very quickly give up a phone number, thinking it's just one of those "two factor things" we are all so used to seeing. And, of course, the elderly very often just do whatever the screen asks them to do, thinking it'll just get them into an app.
Be sure to educate and remind those around you to not tap messages that insist their phone is infected and let them know that they should never, ever enter their phone number in an app that is not WhatsApp or Viber. In fact, just set those up for them and tell them to never enter their phone number for anything, period.
Lastly, just in case — keep an eye on that phone bill.
With the current lockdowns, a lot people that were not so tech-savvy in the past have found themselves spending more time in this digital world of ours. Sadly, this has also lead to more bad actors popping up, trying to exploit the less experienced. And — in the case of Dark Herring — some of them are obviously well-funded and super organized.
Things that are NOT allowed: