article featured image


A popular cash-stealer malware dubbed Dark Herring has been wreaking havoc with Android devices, as it reportedly deprived users of hundreds of millions of dollars. In this wave of cyberattacks, almost 500 malicious apps from Google Play were impacted and managed to deploy Dark Herring.

How Dark Herring Works

The ones who discovered the now making headlines malware were the researchers from Zimperium. According to researchers, threat actors managed to steal from targets $15 a month per victim amounting to hundreds of millions in total.

It’s worth mentioning that Google addressed the issue meanwhile and removed the compromised applications (470) from its Play Store and the company also mentioned that the scam services are down at the moment.

There still remains the danger for those who already installed those apps, as they might be compromised. Besides, the apps remained active in third-party stores.

These malicious Android applications appear harmless when looking at the store description and requested permissions, but this false sense of confidence changes when users get charged month over month for premium service they are not receiving via direct carrier billing. Direct carrier billing, or DCB, is the mobile payment method that allows consumers to send charges of purchase made to their phone bills with their phone number. Unlike many other malicious applications that provide no functional capabilities, the victim can use these applications, meaning they are often left installed on the phones and tablets long after initial installation.


According to the report published by researchers, the errant charge of $15 may remain unnoticeable for users over months, but statistics show that many victims may have suffered financial losses, as this malware was present on more than 105 million Android devices.

It seems that, as analysts note, the threat actors behind this malicious campaign managed to create “a stable cash flow of illicit funds from these victims”, fueling this way their monthly recurring revenue. This group appears to leverage new infrastructure and techniques.

The global campaign was first spotted during the month of March in 2020 and carried out its activities since the last November.

What happens when the Android app is installed is that the first-stage URL will be loaded into a Cloudfront hosted web view. An initial GET request is then sent to the URL. A response from that URL will follow including links to JavaScript files. The resources are then fetched by the application and the infection process is let to unfold as the geo-targeting component is enabled.

Why Was Dark Herring Successful?

The hackers behind this global-scale malware leveraged savvy techniques as they employed geo-targeting to make the application come in the language of the user who was targeted and this is a particular fact that made the campaign successful, social engineering methods that target the user’s susceptibility to share personal data with a website that is displayed into their native language, as the experts underline.

The campaign also showed versatility, as mobile users from over 70 different countries were impacted, the content being presented in relation to the IP address of the user.

The threat actors responsible for Dark Herring generated and published almost 470 applications on the Google Play Store over a long period, with the earliest submission dating to March 2020 and as recently as November 2021. The number of applications attributed to this campaign indicates that the motivated and persistent threat actors are continuously scaling up their architecture and resources to infect as many victims as possible to maximize their gains.


The malicious campaign also showed a robust infrastructure, as Dark Herring leveraged proxies at first-stage URLs for skipping detection purposes.

Countries with less stringent consumer protections for telecommunications users were the main focus for threat actors, and here researchers enumerated Egypt, Finland, India, Pakistan, and Sweden.

If you liked this article, follow us on LinkedInTwitterFacebookYoutube, and Instagram for more cybersecurity news and topics.

Author Profile

Andra Andrioaie

Security Enthusiast

linkedin icon

Hi! My name is Andra and I am a passionate writer interested in a variety of topics. I am curious about the cybersecurity world and what I want to achieve through what I write is to keep you curious too!

Leave a Reply

Your email address will not be published. Required fields are marked *

Protect your business by doing more with less

Book a Demo