fbpx
Frame-14

Privacy Ninja

        • DATA PROTECTION

        • CYBERSECURITY

        • Penetration Testing

          Secure your network against various threat points. VA starts at only S$1,000, while VAPT starts at S$4,000. With Price Beat Guarantee!

        • API Penetration Testing
        • Enhance your digital security posture with our approach that identifies and addresses vulnerabilities within your API framework, ensuring robust protection against cyber threats targeting your digital interfaces.

        • On-Prem & Cloud Network Penetration Testing
        • Boost your network’s resilience with our assessment that uncovers security gaps, so you can strengthen your defences against sophisticated cyber threats targeting your network

        • Web Penetration Testing
        • Fortify your web presence with our specialised web app penetration testing service, designed to uncover and address vulnerabilities, ensuring your website stands resilient against online threats

        • Mobile Penetration Testing
        • Strengthen your mobile ecosystem’s resilience with our in-depth penetration testing service. From applications to underlying systems, we meticulously probe for vulnerabilities

        • Cyber Hygiene Training
        • Empower your team with essential cybersecurity knowledge, covering the latest vulnerabilities, best practices, and proactive defence strategies

        • Thick Client Penetration Testing
        • Elevate your application’s security with our thorough thick client penetration testing service. From standalone desktop applications to complex client-server systems, we meticulously probe for vulnerabilities to fortify your software against potential cyber threats.

        • Source Code Review
        • Ensure the integrity and security of your codebase with our comprehensive service, meticulously analysing code quality, identifying vulnerabilities, and optimising performance for various types of applications, scripts, plugins, and more

        • Email Spoofing Prevention
        • Check if your organisation’s email is vulnerable to hackers and put a stop to it. Receive your free test today!

        • Email Phishing Excercise
        • Strengthen your defense against email threats via simulated attacks that test and educate your team on spotting malicious emails, reducing breach risks and boosting security.

        • Cyber Essentials Bundle
        • Equip your organisation with essential cyber protection through our packages, featuring quarterly breached accounts monitoring, email phishing campaigns, cyber hygiene training, and more. LAUNCHING SOON.

105 million Android Users Targeted by Subscription Fraud Campaign

105 million Android Users Targeted by Subscription Fraud Campaign

A premium services subscription scam for Android has been operating for close to two years. Called ‘Dark Herring’, the operation used 470 Google Play Store apps and affected over 100 million users worldwide, potentially causing hundreds of millions of USD in total losses.

‘Dark Herring’ was present in 470 applications on the Google Play Store, Android’s official and most trustworthy source of apps, with the earliest submission dating to March 2020.

In total, the fraudulent apps were installed by 105 million users in 70 countries, subscribing them to premium services that charged $15 per month through Direct Carrier Billing (DCB).

Also Read: PDPA For Companies: Compliance Guide For Singapore Business

DCB is a mobile payment option that lets people purchase digital content from the Play Store, charging it to their prepaid balance or postpaid bill.

The operators of ‘Dark Herring’ cashed the subscriptions while users realized the fraudulent charges much later, sometimes several months after the infection.

The discovery of ‘Dark Herring’ comes from Zimperium zLabs, a Google partner and member of the Google App Defense Alliance, whose goal is to tackle the malware problem on the Play Store.

How the malware works

The long-term success of the Dark Herring relied on AV anti-detection capabilities, propagation through a large number of apps, code obfuscation, and the use of proxies as first-stage URLs.

While none of the above is new or groundbreaking, seeing them combined into a single piece of software is rare for Android fraud.

Moreover, the actors used a sophisticated infrastructure that received communications from all users of the 470 applications but handled each separately based on a unique identifier.

The installed app doesn’t contain any malicious code but features a hard-coded encrypted string that points to a first-stage URL hosted on Amazon’s CloudFront.

The response from the server contains links to additional JavaScript files hosted on AWS instances, which are downloaded onto the infected device.

Response from the first-stage URL
Response from the first-stage URL
Source: Zimperium

These scripts prepare the app to acquire its configuration in relation to the victim, generate the unique identifiers, fetch the language and country details and determine which DCB platform is applicable in each case.

Finally, the app serves a customized WebView page that prompts the victim to enter their phone number, supposedly receive a temporary OTP (one-time passcode) code to activate the account on the application.

Also Read: 10 Government Data Leaks In Singapore: Prevent Cybersecurity

Requesting the victim's phone number via a customized page
Requesting the victim’s phone number via a customized page
Source: Zimperium

Apps and targets

With 470 applications to distribute the malware, the targeted demographics was quite diverse. Most of these apps fell in the broader and more popular “Entertainment” category.

Other prevalent Dark Herring apps were photography tools, casual games, utilities, and productivity apps.

One key factor in the consequences of the Dark Herring operation is the absence of DCB consumer protection laws, so some countries were targeted more zestfully than others.

Those at greater risk were India, Pakistan, Saudi Arabia, Egypt, Greece, Finland, Sweden, Norway, Bulgaria, Iraq, and Tunisia.

Victimization likelihood heatmap
Victimization likelihood heatmap
Source: Zimperium

Even in countries where strict DCB protection rules apply, if the victims are late to realize the fraud, reverting the transactions may be impossible.

The most popular Dark Herring apps that each counts several million downloads are:

  • Smashex
  • Upgradem
  • Stream HD
  • Vidly Vibe
  • Cast It
  • My Translator Pro
  • New Mobile Games
  • StreamCast Pro
  • Ultra Stream
  • Photograph Labs Pro
  • VideoProj Lab
  • Drive Simulator
  • Speedy Cars – Final Lap
  • Football Legends
  • Football HERO 2021
  • Grand Mafia Auto
  • Offroad Jeep Simulator
  • Smashex Pro
  • Racing City
  • Connectool
  • City Bus Simulator 2

To access the entire list of all 470 malicious Android applications, check out this GitHub page.

0 Comments

KEEP IN TOUCH

Subscribe to our mailing list to get free tips on Data Protection and Data Privacy updates weekly!

Personal Data Protection

REPORTING DATA BREACH TO PDPC?

We have assisted numerous companies to prepare proper and accurate reports to PDPC to minimise financial penalties.
×

Hello!

Click one of our contacts below to chat on WhatsApp

× Chat with us