Security News > 2022 > January > 105 million Android users targeted by subscription fraud campaign
Called 'Dark Herring', the operation used 470 Google Play Store apps and affected over 100 million users worldwide, potentially causing hundreds of millions of USD in total losses.
In total, the fraudulent apps were installed by 105 million users in 70 countries, subscribing them to premium services that charged $15 per month through Direct Carrier Billing.
The discovery of 'Dark Herring' comes from Zimperium zLabs, a Google partner and member of the Google App Defense Alliance, whose goal is to tackle the malware problem on the Play Store.
The long-term success of the Dark Herring relied on AV anti-detection capabilities, propagation through a large number of apps, code obfuscation, and the use of proxies as first-stage URLs.
These scripts prepare the app to acquire its configuration in relation to the victim, generate the unique identifiers, fetch the language and country details and determine which DCB platform is applicable in each case.
Finally, the app serves a customized WebView page that prompts the victim to enter their phone number, supposedly receive a temporary OTP code to activate the account on the application.