The Dark Herring malware currently affects more than 105 million Android devices, which -to offer context- is more devices than the number of people living in Switzerland, Israel, Hong Kong, Sweden, Greece, Cuba, Cambodia, Demark and the Congo, combined.

In roughly $15.00 increments, hackers have managed to steal hundreds of millions of dollars from ordinary people. While Google has since removed the compromised applications from its Play Store, the danger lingers for people who have installed any of the 470 affected apps.

How it works

When looking at Android applications in the Google Play store, the applications featuring Dark Herring malware are inconspicuous. Yet, users’ sense of confidence and security may start to dissipate when they notice month-over-month billing from a group external to their direct carrier’s billing system.

Around the world, direct carrier billing (DCB) allows customers to send purchase charges directly to their phone carriers, who send a comprehensive service bill on monthly basis.

Pie chart graph that shows the different kinds of apps in which the Dark Herring malware was hidden
The apps covered a range of categories; from entertainment, to racing, to photography. Image courtesy of Threatpost.com.

In contrast with other malicious applications, which do not permit actual application use, these 470 applications appear to work normally from install and onwards; leaving users blind to their true malicious nature.

What it means

The fact that 470 different applications managed to get past Google’s application security checks says that hackers are growing increasingly sophisticated, and we’re struggling to keep up.

Experts also say that this malicious campaign shows a highly-developed infrastructure, as Dark Herring leveraged proxies at first-stage URLs for detection evasion purposes. And, the campaign used geo-targeting to present the application in geographically appropriate languages.

Further implications

Many consumers rely on direct carrier billing (DCB) as a mobile payment method. Because millions of consumers failed to notice the fraudulent payments for months, the cyber criminals behind this campaign developed a stable cash flow from victims. The total amount stolen could reach into the hundreds of millions of dollars.

The Dark Herring malware group’s significant financial gains put the attackers in a position to invest in more campaigns like this one. Researchers expect that the Dark Herring group will increase in prominence and garner further media attention in the future.

How to get rid of these apps

If you’re concerned about having potentially downloaded one of these malicious apps by mistake, take a look at the full list of Dark Herring-related apps here. The list is fairly extensive and the app names are not listed in any specific order.

To make the search process easier, consider loading the list on your desktop browser, pressing Ctrl + F on your keyboard, and searching for names of specific apps you’ve downloaded.

Based on the list, if it seems that you may have downloaded a malicious app, you can confirm whether or not it’s actually a malicious app by looking at the package name (to the left), which will begin with “com.” A lot of apps have similar names, but package names are distinctive.

For more information on the latest major malware campaigns, see CyberTalk.org’s past coverage, here.