The campaign of fraud was dubbed ‘Dark Herring’, with con artists using 470 apps found on the Google Play Store to infect the devices of 105million Android users worldwide. The operation was launched as early as March 2020, with victims secretly signed up to expensive subscription services that charged them over £11 a month. It’s believed the ‘Dark Herring’ operation has cost Android users hundreds of millions of pounds in total.
Android users in 70 countries fell victim to the con after downloading compromised apps that spread the scam from the official Google Play Store.
The most popular Android apps that spread ‘Dark Herring’ were each downloaded several millions of times, with City Bus Simulator 2, Drive Simulator, Football HERO 2021 and Stream HD among the affected programmes.
The ‘Dark Herring’ scam was discovered by security experts at Zimperium.
This firm is a Google partner and member of Google’s App Defense Alliance which works on tackling the threat of malware on the Play Store.
One particular insidious thing about ‘Dark Herring’ is the way it charges Android users.
Instead of trying to charge a credit or debit card linked to the Play Store, money for the bogus subscriptions is paid-for via Direct Carrier Billing (DCB).
This payment method lets people add the cost of digital content purchased via the Play Store to their monthly, carrier bill.
By using this payment method for bogus subscriptions, it means victims may not realise they’ve been charged for something they didn’t want until weeks later.
Outlining its findings online, Zimperium said: “These malicious Android applications appear harmless when looking at the store description and requested permissions, but this false sense of confidence changes when users get charged month over month for premium service they are not receiving via direct carrier billing. Direct carrier billing, or DCB, is the mobile payment method that allows consumers to send charges of purchase made to their phone bills with their phone number. Unlike many other malicious applications that provide no functional capabilities, the victim can use these applications, meaning they are often left installed on the phones and tablets long after initial installation.”
At the time of publishing its research, Zimperium said all malicious apps had been removed from the Google Play Store, along with accompanying phishing sites and scam services.
If you’re wondering whether you’re at risk, here is a list of the 21 most popular apps that were found on the Google Play Store and used to spread the scam…
Smashex, Upgradem, Stream HD, Vidly Vibe, Cast It, My Translator Pro, New Mobile Games, StreamCast Pro, Ultra Stream, Photograph Labs Pro, VideoProj Lab, Drive Simulator, Speedy Cars – Final Lap, Football Legends, Football HERO 2021, Grand Mafia Auto, Offroad Jeep Simulator, Smashex Pro, Racing City, Connectool, City Bus Simulator 2
While these apps are other have been removed from the Google Play Store, if you already installed these apps prior to them being delisted you will still be at risk. Check whether these apps have signed you up for any expensive subscriptions without you realising. You will be able to do this in the profile section of the Google Play Store app, under ‘Payments and subscriptions’. After cancelling any suspicious subscriptions make sure you delete the offending app from your device.