A fraudulent subscription campaign, called Dark Herring, has targeted over 100 million Android users around the world
Diving into Dark Herring
The Dark Herring campaign caused losses worth hundreds of millions of dollars by abusing millions of devices via their 470 Google Play Store apps.
- The apps subscribe users to premium services that charge $15 per month via Direct Carrier Billing (DCB).
- The operators of the Dark Herring campaign cashed out the subscriptions while users remained unaware of the infection and the fraudulent charges for a long time, sometimes several months.
Millions at risk
The fraudulent apps have been installed by 105 million users in 70 countries.
Modus operandi
The attackers have used a sophisticated infrastructure that received communications from all the users of 470 applications
- The installed app does not come with any malicious code. It uses a hard-coded encrypted string that leads the users to a first-stage URL hosted on Amazon’s CloudFront.
- The response from the server includes links to other JavaScript files hosted on AWS instances. These files are downloaded onto the compromised device
CONCLUSION :-
The Dark Herring campaign has been ongoing for almost two years and has targeted millions of users already. This indicates that sometimes downloading apps from genuine stores does not guarantee the safety of users. But, one must be watchful of activities occurring in their banking accounts.
Trending cyber news 