Diving into Dark Herring
- The apps subscribe users to premium services that charge $15 per month via Direct Carrier Billing (DCB).
- The operators of the Dark Herring campaign cashed out the subscriptions while users remained unaware of the infection and the fraudulent charges for a long time, sometimes several months.
- The names of some malicious apps are Smashex, Upgradem, Stream HD, Vidly Vibe, and Cast It. They pretended to be casual games, photography tools, utilities, and productivity apps.
Millions at risk
- So far, the fraudulent apps have been installed by 105 million users in 70 countries.
- The countries with no DCB consumer protection laws such as India, Finland, Saudi Arabia, Egypt, Greece, Sweden, Norway, Bulgaria, Iraq, Tunisia, and Pakistan are at greater risk.
- The installed app does not come with any malicious code. It uses a hard-coded encrypted string that leads the users to a first-stage URL hosted on Amazon’s CloudFront.
- These scripts are used to prepare apps’ configuration in relation to the victim, print unique identifiers, fetch languages, country information, and find out applicable DCB platforms in each case.
- Finally, the app displays a customized WebView page to urge the victim to input the phone number, and supposedly receive a temporary OTP code to activate the account on the application.
The Dark Herring campaign has been ongoing for almost two years and has targeted millions of users already. This indicates that sometimes downloading apps from genuine stores does not guarantee the safety of users. But, one must be watchful of activities occurring in their banking accounts.