470 popular Android apps you should delete immediately

After scammers stole millions more from Android users, the next Google glitch now follows. More than 100 million users have fallen victim to the two-year “Dark Herring” campaign.

Google can’t get a handle on malware attacks that get onto smartphones via innocuous-looking apps from the Play Store. Cybercriminals are investing more and more money in large-scale scam campaigns that often span several years. Currently, almost 470 malware-infected apps are still in circulation.

Malware apps charge money via the phone bill

Just recently, security company “Zimperium” uncovered the “GriftHorse” Trojan campaign, which was also reported by atechbook. In search of other scams of this kind, researchers have found more malware-infested apps. The campaign, which has been named “Dark Herring,” has been running for almost two years and has hit more than 100 million Android users. Like “GriftHorse” before it, “Dark Herring” is a play on words – but this time from the phrase “red herring.” Literally translated, it means “red herring”, but figuratively it stands for a deception maneuver.

The “Dark Herring” campaign uses the same strategy that has worked in apps with “GriftHorse” malware. It makes use of “direct carrier billing” (DCB) technology – a payment method that allows users to pay by phone bill. DCB is most common in countries where the use of credit cards is not common.

After installing one of these apps, users receive several notifications per hour. According to it, they are supposed to confirm their phone number in order to win a prize. Instead, however, the hackers register the number for an SMS service, for which 30-40 euros are charged monthly via the phone bill. The “Dark Herring” apps contain hidden code that automatically signs up for payment subscriptions to “premium services” at a cost of $15. Users often only find out several months later that this amount has been charged to their phone bill.

“Dark Herring” campaign in more than 70 countries.

Although “Dark Herring” uses similar means as the “GriftHorse” attacks, “Zimperium” found out that they are different campaigns. According to them, “Dark Herring” apps have a different code base and are even more successful in preying on users. The security researchers emphasize that the apps are not simply cheap copies of each other. Rather, the cybercriminals would have invested a lot of money to release working apps across a wide range of categories. The sheer size of the campaign, with nearly 470 apps, makes it difficult for Google’s Play Store security measures to detect hidden malicious code in each one.

App malware campaign
Countries marked in yellow are affected by the “dark herring” campaign – countries in red are particularly affected. Photo: Zimperium

The “Dark Herring” campaign has reached users in more than 70 countries, according to “Zimperium.” The apps are installed on more than 105 million smartphones. Some of them have been downloaded up to five million times. They can identify the respective country based on the user’s IP address and display content in the appropriate language. Combined with the fact that the apps actually work, users can hardly notice that they are malware.

Google hat mittlerweile sämtliche betroffene Apps aus dem Play Store gelöscht. Damit bleiben sie aber dennoch auf dem Smartphone installiert und können weiterhin Schaden anrichten. Auch in App Store von Drittanbietern und in Online-Datenbanken sind sie noch zu finden. atechbook rät deshalb, die Apps sofort vom Smartphone zu löschen und nicht aus anderen Sources zu installieren. Die komplette Liste der Malware-infizierten Apps finden Sie auf der GitHub page on “Dark Herring”..


  • Zimperium
  • GitHub page on “Dark Herring”.