HummingWhale: Virulent Malware Reappears On Android
Check Point researchers have found a new variant of the HummingBad malware hidden in more than 20 apps on Google Play. Dubbed as HummingWhale, this malware is equipped with advanced techniques that have taken ad fraud to another level.
According to Check Point researchers, the infected apps were downloaded by nearly 12 million unsuspecting users before the Google Security team removed them from Google Play.
HummingWhale, like its notorious predecessor HummingBad, belongs to the family of malicious apps invading non-Google app markets. HummingBad, when discovered in February 2016, stood out as “an extremely sophisticated and well-developed malware, which employed a chain-attack tactic and a rootkit to gain full control over the infected device.”
HummingWhale, however, has stepped up HummingBad’s game. While the HummingBad attack is based on rooting a device, HummingWhale introduces a new virtual machine to facilitate the attack.
Earlier HummingBad went on to affect nearly 10 million victims and generated a whopping revenue of $300,000 per month. It earned itself the repute of the most prevalent malware globally with over 72% attacks to its credit.
HummingWhale, too, aims to generate revenue by displaying fraudulent ads and automatically installing apps. In their blog post, Check Point explains that it uses the Command and Control server (C&C) to present fake ads to the user.
“Once the user tries to close the ad, the app, which was already downloaded by the malware, is uploaded to the virtual machine and run as if it is a real device. This action generates the fake referrer id, which the malware uses to generate revenues for the perpetrators.”
It is interesting to explore how HummingWhale achieves all this. Each affected app had a characteristic encrypted file that was suspiciously large. It packed a .apk which operated as a dropper, used to download and execute additional apps, similar to the tactics employed by previous versions of HummingBad. However, this dropper uses an Android plugin called DroidPlugin, developed by Qihoo 360, to upload fraudulent apps on the virtual machine.
Also Read: Google Pixel Hacked by Qihoo 360 in <18 Secs
A distinct step-up from HummingBad is its reliance on the virtual machine. HummingWhale no longer requires elevated privileges to be granted. It can install hoards of fraudulent apps without eating up device memory. HummingWhale is also known to display deceptive ads and hiding the original malicious app once it’s installed.
To attract unwary users, it tries to improve its Google Play reputation by automatically generating posts disguised as positive user comments and ratings. This is not unlike the features are seen earlier in Gooligan and CallJam malware.
It is evident that users cannot judge reliability solely on the basis of Google Play ratings.
It is possible for users to verify whether an app is infected, by simply noting the package name. Package names for infected apps typically contain a common naming structure that includes com.XXXXXXXXX.camera, like com.bird.sky.whale.camera or com.color.rainbow.camera. Check Point lists a number of such malicious package names on their blog.
According to Google’s update, all HummingWhale infected apps have been removed from the Play Store. In case a user has been infected, the best (but possibly last) option is to carry out a factory reset of their device, after backing up all important data.
Let us know your opinions on this in the comments below.