X

Researchers Unearth SMS-Based Android Malware Called 'Dark Herring'

Malware image
Advertisement

The researchers at Zimperium zLabs have uncovered a new malware that has impacted millions of users. The team at zLabs has named this malware “Dark Herring,” deeming it the longest-running mobile SMS scam. There have been a total of 105 million victims around the world, according to the team.

In a detailed report published on its official website, zLabs researchers detail how this malware affects Android users. It has some key differences from traditional malware applications. Dark Herring masks itself within a normal-looking app to keep up pretenses. In fact, users can even use these apps frequently. By doing this, the cybercriminals ensure the apps remain on the device long after the initial installation.

Some of these malicious apps were reportedly published on the Play Store and third-party app hubs. Thankfully, the zLabs team sent the report’s findings to Google and other relevant web hosts. Not long after, the malicious apps were removed entirely in a ”coordinated takedown.”

Advertisement

“At the time of publishing, the scam services and phishing sites are no longer active, and Google has removed all the malicious applications from Google Play,” the research team notes. The malware impacted 470 Android applications.

 

The team didn’t have precise data on how much money may have been scammed out of users so far. But based on the scale of this malware, it could easily be millions of dollars per month. Researchers found that the Dark Herring malware could have wrongly charged users up to $15/month on average.

Advertisement

Dark Herring Apps Per CategoryDark Herring apps have been flocking the internet since at least March 2020

The malware was reportedly operational in over 70 countries hiding beneath web pages in the user’s local language. It could identify the user’s local language based on IP address information. As the zLabs team points out, users are more likely to click on a link that’s in their local language. After infiltrating the device through these means, the malware then determines whether to attack the victim via Direct Carrier Billing subscription using server-side logic.

Some of the apps involved in the Dark Herring malware date back to March 2020. Meanwhile, the most recent is from November 2021. What makes scams like this particularly concerning is the fact that it is usually tied to carrier billing. This means that many customers won’t realize they’re paying for a service they aren’t using until it’s too late.

As with the GriftHorse malware reported months ago, some Dark Herring apps are still lurking on third-party app hubs. Keeping this in mind, Android users should be highly cautious while downloading something from a third-party app marketplace. It’s also helpful to remember that if you lose money through such malware, there’s little to no hope of getting it back.

Advertisement

You can find additional details about the Dark Herring malware from the link here.