An Android premium service subscription fraud has been active for over two years. The operation, dubbed ‘Dark Herring,’ affected over 100 million people globally and leveraged 470 Google Play Store applications, potentially causing total losses worth millions of dollars. Its earliest submission dates back to March 2020.
In all, 105 million people in 70 countries downloaded the fraudulent applications, which enrolled them in premium services that cost $15 each month via Direct Carrier Billing (DCB). DCB is a mobile payment method that allows users to charge digital content purchased from the Play Store to their prepaid or postpaid subscription.
The ‘Dark Herring’ operators paid the subscriptions while the users were unaware of the fraudulent payments until much later, often months after the infection. The discovery of ‘Dark Herring’ was made by Zimperium zLabs, a Google partner and member of the Google App Defense Alliance, whose mission is to combat malware on the Google Play Store.
The Dark Herring’s long-term success was based on AV anti-detection skills, widespread distribution via a large number of programs, code obfuscation, and the use of proxies as first-stage URLs. While none of these features are novel or surprising, having them together in one piece of software is unusual for Android fraud.
Furthermore, the actors developed a complex infrastructure that accepted messages from all 470 application users yet processed each one individually based on a unique identity. There is no malicious code in the installed software, but it does have a hard-coded encrypted string that refers to a first-stage URL hosted on Amazon’s CloudFront.
The server’s answer includes links to further JavaScript files housed on Amazon Web Services instances, downloaded to the infected device. These scripts get the app ready to connect to the victim, produce unique IDs, get language and country information, and figure out which DCB platform to use in each scenario.
Finally, the app displays a modified WebView page that asks the victim to input their phone number to acquire a temporary OTP (one-time passcode) code that would allow them to activate their account on the app. Check out this GitHub page for the complete list of all 470 malicious Android apps.