Huge subscription fraud campaign hits over 100 million Android users

app security
(Image credit:

A widespread Android subscription fraud campaign has been discovered actively stealing from users money.

Uncovered by cybersecurity researchers from Zimperium zLabs, the “Dark Herring” campaign consists of some 470 apps, all found in the official Google Play Store. 

The apps, most of which fall in the entertainment category, have all offered “premium” services for registered users. Those that would register an account, would be billed up to $15, through Direct Carrier Billing (DCB).

No malware present

DCB is a mobile payment method, allowing consumers to pay for things they buy online, via the bill for their phone plan. This means users that installed these apps would not know they’d been charged for anything, until the phone bill arrives in the mail. 

Furthermore, as these apps can still be used, and many people don’t check the details of their phone bills, in some instances, the charging went on for months, the researchers hint.  

As these apps don’t necessarily carry malware with them, the fraud was relatively difficult to detect. In some cases, it was said, the victims took months before noticing that they had been fraudulently charged on their account.

In total, these apps were downloaded on 105 million devices, located in 70 countries around the world. All of this, researchers say, make Dark Herring the longest-running mobile SMS scam discovered. 

Here are some of the apps used in the campaign: 

  • Smashex
  • Upgradem
  • Stream HD
  • Vidly Vibe
  • Cast It
  • My Translator Pro
  • New Mobile Games
  • StreamCast Pro
  • Ultra Stream
  • Photograph Labs Pro

Researchers from Zimperium believe the operators made away with “hundreds of millions” of dollars, so far. 

While Google has since removed all of the apps from the Play Store (the full list can be found here) many can still be downloaded from third-party repositories online.

Via: BleepingComputer

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.