Over 100 million Android phones hit with malicious apps that steal your money — what to do

Android malware botnet attack
(Image credit: Shutterstock)

An Android "fleeceware" campaign has been discovered that began nearly two years ago, involved about 470 apps in the Google Play store that were downloaded at least 105 million times, and may have stolen hundreds of millions of dollars from phone users all over the world.

Researchers at security firm Zimperium have named the campaign "Dark Herring." In a report posted yesterday (Jan. 26), they explained that the apps themselves actually worked as promised — as games, entertainment apps, productivity tools, photo filters and so on.

(Another malware app, unrelated to Dark Herring, was found in the Google Play store a day later.)

But the apps also sent many users to deceptive web pages, tailored to the users' languages and countries of residence. Those pages asked users to enter their phone numbers for "verification," but in fact signed the users up to recurring charges that averaged $15 per month — a lot of money in some parts of the world.

The Zimperium researchers called Dark Herring "one of the most extensive and successful malware campaigns by measure of the sheer number of applications" that they had seen in 2021.

"The total amount of money scammed out of unsuspecting users could ... be well into the hundreds of millions of dollars," they added.

How to avoid and get rid of these malicious apps

The malicious apps are now gone from the Google Play store, but they can still be found in "off-road" app markets, according to Zimperium. You'll want to avoid installing one, and if you have one on your phone already, you'll want to uninstall it. 

There's a full list of the Dark Herring-related apps on this web page. Unfortunately, the list isn't in any particular order. 

Your best bet is to load that list in a desktop web browser, hit Control-F on your keyboard, and search for the names of any apps on your phone (or in an app store) of which you may have doubts. 

If you get a match on the name, you can confirm whether it's actually the same app by using the package name to the left of the name — it's the text string that begins "com." (Many Android apps have identical or similar names, but package names are unique.) 

On an app store, you can spot it because the package name is often part of the URL of the app's listing page. And if you think one of these apps is on your phone, then copy and paste this URL into your desktop web browser's address bar:


... but don't hit Enter or Return just yet. Instead, then copy the suspicious app's package name from the list of Dark Herring apps. Paste the package name onto the end of the URL, after the equal sign, then hit Return or Enter. 

If you get a mostly blank Google Play page saying "We're sorry, the requested URL was not found on this server," then the app has been removed from Google Play. Uninstall it from your phone. 

If you get a regular app page, then the app isn't involved in this malware campaign and you can keep it on your phone.

How the Dark Herring fleeceware campaign works

Dark Herring operates by abusing direct carrier billing, a feature common in many countries by which phone users can buy physical items or digital services using their phones. 

Functionally, direct carrier billing is similar to Apple Pay or Google Pay, except that the charges show up on the user's phone bill instead of an Apple or Google account.

Instead of cleaning out a user's cash, as a banking Trojan would do to a bank balance, Dark Herring simply milks the user's mobile-carrier account, tacking on extra recurring charges that the user might not notice. (A cynic would argue that many landline and mobile carriers already do something similar.)

Part of the subterfuge is that the Dark Herring apps aren't bogus and work as advertised so that the user won't detect anything amiss. 

"Unlike many other malicious applications that provide no functional capabilities, the victim can use these applications," Zimperium's report said, "meaning they are often left installed on the phones and tablets long after initial installation."

Again, the apps themselves don't attack the phones and don't contain any obviously malicious code, which is probably how they were able to get past Google Play's malware checks. In fact, many of the best Android antivirus apps' malware-detection engines didn't flag them either when we checked the apps' hashes in Virus Total at the time of this writing.

Instead, the apps download additional scripts that determine the language each phone is set to and in which country the phone is located — suspicious but neither malicious nor unusual. That information is uploaded to a command-and-control server that makes a decision on whether to try to con the user.

If the decision is yes, the app then loads a malicious website, matching the user's country and language, that asks the user to submit a phone number "for verification." 

"Users are generally more comfortable with sharing information to a website in their local language," Zimperium wrote. "But in reality, they are submitting their phone number to a Direct Carrier Billing service that begins charging them an average of $15 USD per month."

Victims of Dark Herring were detected in more than 70 countries across the planet, including nearly every country in the Americas, Europe, Oceania and East Asia. 

However, users in about a dozen and a half countries, mostly in the Middle East, South Asia, Scandinavia and the Baltic states, were especially vulnerable "due to the lack of consumer [protections] from these types of Direct Carrier Billing scams," wrote Zimperium.

Paul Wagenseil

Paul Wagenseil is a senior editor at Tom's Guide focused on security and privacy. He has also been a dishwasher, fry cook, long-haul driver, code monkey and video editor. He's been rooting around in the information-security space for more than 15 years at FoxNews.com, SecurityNewsDaily, TechNewsDaily and Tom's Guide, has presented talks at the ShmooCon, DerbyCon and BSides Las Vegas hacker conferences, shown up in random TV news spots and even moderated a panel discussion at the CEDIA home-technology conference. You can follow his rants on Twitter at @snd_wagenseil.