Posted on January 28, 2022 at 5:10 PM
Security researchers at Zimperium zLabs have revealed that threat actors are using a sophisticated new malware, called ‘Dark Herring’ to infect millions of Android phones.
The hackers are using a phony message to trick Android users into subscribing for a faux service, siphoning $15 from the users via Direct Carrier Billing. Based on the report, about 105 million android devices have been targeted.
The hackers are using this billing method because the users do not get to know that they have been billed until the end of the month when the monthly bill is sent.
As a result, the victims couldn’t react on time as the threat actors walked away with lots of money even months after the first infection. The report noted that the hackers could have made millions of dollars before finally quitting the hacking campaign.
The Malware Was Able To Stay Hidden For A Long Time
The researchers also revealed that the malware planted by the hackers stayed undetected for several months. Dark Herring has been regarded as a sophisticated malware that utilizes layers of code obfuscation and anti-detection measures to stay under the radar. Although the malware was spread across more than 450 apps, it used a different method in each one, making it a bit harder to monitor and detect.
However, the researchers noted that the apps do not have any embedded malicious code themselves, but an encryption string. This directs the user to a WebView page on the Amazon CloudFront server.
Once the user goes to the page, it requests confirmation of login from the user, leading the user to enter their phone number. While the user enters their phone number, the malware works in the background to connect the user’s phone number to their country and the Direct Carrier Billing it will utilize.
The researchers also confirmed the sophistication of the campaign by pointing out that the threat actors invested a lot of infrastructure into its planning and execution. The operation was well-funded and the attackers are probably working on the next piece of sophisticated malware, based on the type of tools they are working with.
How The Hackers Utilized Dark Herring
The researchers have acknowledged that the Dark Herring malware developers used the Direct Carrier Billing feature to reap-off unsuspecting victims.
The billing feature, which allows users to buy digital services or physical items using their phones, is very common in many countries.
In terms of functionality, the feature resembles Google Pay or Apple Pay, but the charges are removed as phone billing rather than a Google or Apple account. In the case of a banking Troja, the user will see that their account has been debited immediately after the Trojan makes a billing move. But the Dark Herring malware charges directly from the phone billing, which is paid at the end of the month in most cases. This makes it very difficult to notice immediately and report the incident. By the time the user gets their phone billing, the malware may have concluded its business in their mobile apps.
Another difficult thing is the fact that the Dark Herring apps represent genuine advert and service offerings, making it very difficult to detect by security apps or the users. In other malicious apps, there is no functional capability for the user. But in the case of the Dark Herring app, the victims can use the application after installation. This means the app can be widely used and continue to carry out its primary job of siphoning money.
Users Have Been Urged To Protect Their Devices
The apps the Dark Herring malware-infected are generally genuine photo editors and games, as well as other basic apps.
As of the time of writing, the malicious apps have been taken down from the Google Play store. However, some of them can still be seen in “off-road” app markets. The researchers stated that users should avoid patronizing app markets that are not popular or do not have a strong reputation. They have also advised users to check whether they have installed one and try to uninstall them as soon as possible.
Zimperium zLabs has also listed most of the Dark Herring-related apps on its web page to allow users to check whether they have installed one of the apps.
Since the list is quite lengthy and written in no particular order, the website has asked users to copy and load them on their desktop browser. They can search for the names of any apps on their phones if they have doubts about any of them.