Security researchers at Zimperium discovered the campaign, which adds a $15 charge per month for every victim. Over time, and with a widespread victim network, the campaign has become extremely lucrative. In fact, Zimperium’s researchers estimate that the stolen amount ranges in hundreds of millions. Google has removed all 470 malicious applications from the Play Store, and Zimperium claims the scam services are down. However, any device which still has an infected app could still pose a risk down the road.
Dark Herring Malware has Victims in Over 70 Countries
Mobile applications containing Dark Herring subscribe victims to paid services, which on average cost $15 per month. Once infected, the malware gains access to the victim’s IP address to learn their geo-location. It uses this information to direct users to targeted malicious web pages in their local language. The web pages ask the targets to submit their phone numbers for verification. However, if a target provides their number, they are automatically signed up for a direct call billing service, which is a common method of mobile payments in under-banked countries. They add charges for their non-telecom services directly to a customer’s mobile bill. “The victim does not immediately notice the impact of the theft, and the likelihood of the billing continuing for months before detection is high, with little to no recourse to get one’s money back,” the researchers said.
Dark Herring Campaign is an Extensive and Concerted Effort
The Dark Herring campaign stands out for its level of sophistication. Zimperium says it is “one of the most extensive and successful malware campaigns” based on the magnitude of applications that it spread to over such a short period of time. The researchers also believe the campaign was an “extensive, concerted effort by a well-organized group.” This is because of how the threat actors produced so many malicious apps and submitted them to the Play Store. Zimperium also found evidence of significant financial investment from the group to operate the campaign on a global scale. The researchers also noticed “a pattern in the C&C communication, which suggests that the threat actors have developed an infrastructure to handle the communication coming from several applications with unique identifiers and responding accordingly.”
Researchers Believe Threat Actors Will Return
The researchers point out 6 key reasons behind the campaign’s success. It added that it is rare to see a combination of so many features used with such sophistication. These are:
The novel techniques used which were not detected by other AV vendors Using 470 scamware applications Using proxies as first-stage URLs Identifying targets through geo-locations based on IP addresses Vetting users before deciding to sign them up to direct call billing Using sophisticated architecture to conceal their actual purpose
Due to the success of this campaign, Zimperium believes that the threat actors are likely to refine their strategy and return in the future. If you want to avoid such troubles, check out our list of the best and most secure smartphones that you can buy.
