Google partner Zimperium zLabs has recently discovered a sophisticated scam targeting more than 100 million Android users. The scam has been in operation right under Google’s nose for nearly two years.
The scam has now been shut down by Google but while it was in operation, it spanned some 470 Android apps on the Play Store. It was quietly subscribing users who installed the infected apps to a premium service that charged $15 USD per month through Direct Carrier Billing (DCB).
The decision to leverage DCB is both brilliant and terrifying. It’s a legitimate mobile payment option that allows people to pay for digital content from the Play Store either via their pre-paid balance or post-paid with a bill.
Oftentimes, a user would be subscribed to a premium service for months before they noticed. While that was happening, the scammers behind the attack (dubbed Dark Herring by the group that discovered it) were raking in profits from some 106 million Android users spread over more than 70 different countries.
Each of the hundreds of different apps that were infected with the malware had a different identifier. That means the scammers were able to track (with some granularity) which apps were bringing them in the most illicit profits.
One thing that this attack really underscored is how hard it is to stop something like this that has a global footprint. Consumer protection laws vary wildly from one country to the next. So while users in some countries may have legal recourse, users in most other countries have no protection at all. They’re simply out the money.
In any case kudos to the folks at Zimperium for their sharp eyes and to Google for taking swift action to dismantle the campaign. Unfortunately, the fact that it’s now defunct is small consolation to the millions who lost money while it existed.