14 DAY TRIAL // The HummingBad malware seems to have made a return in a new, more powerful and annoying version after last year’s clean-up.
If you remember, in February 2016, HummingBad was making headlines. The malicious app affected around 10 million Android phones around the world. The software took root in people’s phones, collected personal data and made it act like they were clicking on ads in order to rack up somewhere around $300,000 per month for the people behind it, the folks over at Yingmob.
The malware was spread through third-party app stores, and it managed to reach so many devices that it became the fourth most prevalent malware globally. It did not, however, manage to infiltrate the official store - Google Play.
The new version, dubbed HummingWhale by the folks over at Check Point Software Technologies who spotted it in the first place, has improved add fraud capabilities in its code. Basically, if the user actually spots the app and goes on to close the process, HummingWhale goes under and turns into a virtual machine which is a lot harder to detect.
Spotting the whale
HummingWhale started to attract attention when apps that were published under the names of several fake Chinese developers showed behavior that wasn’t normal at startup. “It registered several events on boot, such as TIME_TICK, SCREEN_OFF and INSTALL_REFERRER which [were] dubious in that context,” Check Point writes. They also carried an encrypted file of 1.3 MB posing as an image but acting as an executable app file.
“This .apk operates as a dropper, used to download and execute additional apps, similar to the tactics employed by previous versions of HummingBad. However, this dropper went much further. It uses an Android plugin called DroidPlugin, originally developed by Qihoo 360, to upload fraudulent apps on a virtual machine,” the company notes.
Once a phone is infected, the user gets sent fake ads and apps. The app, running in a virtual machine, as mentioned above, then generates a fake referrer ID hitting ads all over the web in order to generate ad revenue.
There are some differences between HummingBad and HummingWhale. For instance, the latter can push apps to run without having high permissions set by the user. It also runs without having to root the phone, while turning into a virtual machine makes it possible for it to install a lot of fraudulent apps without the target even noticing.
Be careful on Google Play too
“HummingWhale also tries to raise its reputation in Google Play using fraudulent ratings and comments, similar to the Gooligan and CallJam malware before it,” Check Point notes, so you might want to pay extra attention to the apps you install on your phone, even if they come from Google Play.
Here are a few names of apps that have been known to carry the whale around - Whale Camera, Orange Camera, Ocean camera, Deep Cleaner, Hot Cleaner, Elephant Album, Smile Camera, Blinking Camera. As you can see, there are a few patterns you should try avoiding while browsing for apps, especially if you’ve never heard of the developer.
Even though Google enforces some serious rules for Android developers and the Play store is generally clean, there are hidden monsters lurking in the corner.