We're used to being suspicious of peculiar emails, or text messages about an awaiting package, but mobile application stores such as Google Play are just as good (if not better) of an infection vector. More than one hundred million android device users downloaded at least one of 470 malicious apps lurking on the Google play store.

How does the Dark Herring infection work?

Upon being installed inside the malicious application, Dark Herring loads a first-stage URL into a WebView, a system component for the Android operating system that allows Android apps to display content from the web directly inside an application. According to Zimperium, this URL is always an endpoint hosted Cloudfront. The malware sends a GET request to the URL, which replies with links to JavaScript files hosted on Amazon Web Services (AWS) instances.

Each JS file has a function that progresses the infection process, such as a file that instructs the application to get a unique identifier for the device, eventually constructing a final-stage URL. This final URL's response provides a customization configuration that tells the app how to behave and proceed depending on the victim's distinct profile. 


The money extortion method

Based on the received configuration, the app malware shows the victim a mobile webpage prompting them to submit their phone number to activate the app - including DCB charges. Direct carrier billing (DCB) is a mobile payment method that many users around the globe rely on. It adds charges for non-telecom services onto a consumer’s monthly phone bill. Once a victim has downloaded the app and seen the seemingly-trusted prompt, chances are they will enter their phone number and not even notice that they are about to pay cyber criminals.


Dark Herring's Global Spread

Most areas of the world are vulnerable to this well thought-out campaign. It seems the group behind it is quite invested in their scheme - creating a versatile campaign with almost 500 different malicious applications, using geo-targeting to deliver the application (and scam page) in the victim's native language. The applications in this campaign all managed to evade Google Play Protect, successfully posing as high-quality apps that include the features and functionality advertise on the Play store. 

Image courtesy of Zimperium


Google Play malware apps are no joke

Dark Herring isn't the only campaign running via malicious applications. The Vultur trojan, a bank credential stealer, recently made headlines after being innocently downloaded more than 10,000 time from the Google Play store dressed as a legitimate two-factor authentication (2FA) application. The app, called "2FA Authenticator", disguised the malware dropper. Aside from using the Vultur to steal financial and banking data with sophisticated tactics such as keylogging and screen recording, the app also acquires permissions to do a bunch of other malicious activities on the victim's device, including:

  • Accessing user location data for geo-targeted attacks
  • Disabling the device lock and password security
  • Downloading third-party applications
  • Taking over control of the device even if the app is shut down

If you are a ThreatSTOP customer, add our Mobile Threats (domains) and Mobile Threats IPs protection bundles to your policy for the best protection against mobile malware for iOS, Android, Windows phone and more.

Not a ThreatSTOP customer yet? Want to see ThreatSTOP instantly eliminate attacks on your network?