Select Page

105 million Android users were targeted in one of the biggest mobile malware heists in the last years. The operators of the “Dark Herring” fraud campaign cashed in millions of dollars through subscriptions from 470 different malicious apps in the Google Play Store.

This is a short recent story about unsuspecting users who are just finding out about the scam, several months after the infection. 

To begin with…


What is the Dark Herring Malware and How It Works?

A research team from Zimperium (a Google partner and member of the Google App Defense Alliance) discovered the Dark Herring malware, which is estimated to have stolen hundreds of millions in $15/month sums, per victim.

How is it possible that so many people fell into this trap?

Well, the long-term success of the Dark Herring malware operation comes from its AV anti-detection capacity, code obfuscation, and proxies used as first-stage URLs, as well as a massive propagation, through hundreds of apps.

None of the mentioned techniques are groundbreaking, but a combination of these into a single fraud campaign is.  

Its centralized and sophisticated infrastructure also lets the bad actors receive information from users all over the 470 apps while communicating back separately through unique identifiers.

Dark Herring WebView page

The installed apps didn’t contain malicious code. On the other hand, featured encrypted strings pointing to a first-stage URL hosted on Amazon’s CloudFront. It also contains links to additional javascript files hosted on AWS instances. These are downloaded into the device.

In a few words, the scripts prepare the app to adapt to the victim’s configurations, then to generate the unique identifier, fetch its language, as well as country details, to determine which DCB platform is applicable per case.

DCB: mobile payment option used to purchase on the Play Store with prepaid balance or postpaid bill. 

So, the app servers as a customized WebView page, prompting the victim to sign in using their phone numbers and receive a fake temporary OTP (one-time passcode) to finally activate the account on the app.

Speaking of DCB, the Dark Herring malware apps are also notorious for avoiding DCB consumer protection laws, helping itself enter in many countries succesfuly, as India, Pakistan, Saudi Arabia, Egypt, Greece, Finland, Sweden, Norway, Bulgaria, Iraq, and Tunisia.

Dark Herring malware Victimization likelihood heatmap

If you’re reading this from any of the previously mentioned countries, then be aware that the categories of these apps go around the spectrum of photography tools, casual games, utilities, and productivity apps, “Entertainment” being the most popular category. 

And even if you aren’t in any of these countries, you can still fail to revert any transactions if realize too late about this fraud. But to give you an extra idea for what should be looking for, here’s a few of the most popular Dark Herring apps, downloaded by several millions:


  • Smashex
  • Upgradem
  • Stream HD
  • Vidly Vibe
  • Cast It
  • My Translator Pro
  • New Mobile Games
  • StreamCast Pro
  • Ultra Stream
  • Photograph Labs Pro
  • VideoProj Lab
  • Drive Simulator
  • Speedy Cars – Final Lap
  • Football Legends
  • Football HERO 2021
  • Grand Mafia Auto
  • Offroad Jeep Simulator
  • Smashex Pro
  • Racing City
  • Connectool
  • City Bus Simulator 2

In GitHub, you can find a list with all the 470 malicious apps enlisted – and recently taken down from the Play Store.