DecryptedTech

Friday12 August 2022

Direct Carrier Billing Scam Apps Nab 105 Million Users on Mobile Devices


Reading time is around minutes.

Scammers and threat groups are nothing if not creative. They have time and quite a bit of talent on their hands to figure out ways around security features and gateways to get what they want. Take the recent discovery of Dark Hearing; this lovely mobile malware/scam gem was discovered by Zimnperium and was inserted into several seemingly benign apps. These apps were pushed to Google Play where they were downloaded by hundreds of millions of people.

The Apps slipped by the Google safeguards and checks. They did not even appear to have any unusual permission request. They appeared to be what they said they were. However, hiding inside of the apps was a function to take advantage of a feature called Direct Carrier Billing (DCB). This feature allows an app or service to bill directly to your carrier.

The scamware is slick, when the app is launched it presents a web view to the user after gathering some configuration information (language, region, etc). The view then asks the user to confirm their location by entering their phone number. This phone number is that key to the API calls that enable the DCB. Once that is done the scamware starts a monthly billing cycle. The amount that is billed to the account is low (around $15). This is small enough that it could be overlooked and with the push for automated billing it might never be noticed at all by a person with an infected device. However, based on the large number of users impacted the billing amount would not need to be large to turn a massive profit.

The threat group appears to be new, at least newly identified in terms of their TTPs although they do have some similarities with another group dubbed GriftHorse. Once again, we see that mobile devices are easy targets due to several factors, including how people use them. This trend is likely to continue and even become more widespread simple because our mobile devices can do so much more and, as we have said before, are typically used as both work and personal platforms. The antimalware industry really needs to step up and soon.

Complete list of known infected apps

Stay safe out there.

Leave a comment

Make sure you enter all the required information, indicated by an asterisk (*). HTML code is not allowed.