HummingBad – an Android-based malware that infected over 10 million Android devices around the world last year and made its gang an estimated US$300,000 per month at its peak – has made a comeback.

Security researchers have discovered a new variant of the HummingBad malware hiding in more than 20 Android apps on Google Play Store.

The infected apps were already downloaded by over 12 Million unsuspecting users before the Google Security team removed them from the Play Store.

Dubbed HummingWhale by researchers at security firm Check Point, the new malware utilizes new, cutting-edge techniques that allow the nasty software to conduct Ad fraud better than ever before and generate revenue for its developers.

The Check Point researchers said the HummingWhale-infected apps had been published under the name of fake Chinese developers on the Play Store with common name structure, com.[name].camera, but with suspicious startup behaviors.
"It registered several events on boot, such as TIME_TICK, SCREEN_OFF and INSTALL_REFERRER which [were] dubious in that context," Check Point researchers said in a blog post published Monday.

HummingWhale Runs Malicious Apps in a Virtual Machine

The HummingWhale malware is tricky than HummingBad, as it uses a disguised Android application package (APK) file that acts as a dropper which downloads and runs further apps on the victim's smartphone.

If the victim notices and closes its process, the APK file then drops itself into a virtual machine in an effort to make it harder to detect.

The dropper makes use of an Android plugin created by the popular Chinese security vendor Qihoo 360 to upload malicious apps to the virtual machine, allowing HummingWhale to further install other apps without having to elevate permissions, and disguises its malicious activity to get onto Google Play.
"This .apk operates as a dropper, used to download and execute additional apps, similar to the tactics employed by previous versions of HummingBad," researchers said. "However, this dropper went much further. It uses an Android plugin called DroidPlugin, originally developed by Qihoo 360, to upload fraudulent apps on a virtual machine."

HummingWhale Runs Without having to Root the Android Device

Thanks to the virtual machine (VM), the HummingWhale malware no longer needs to root Android devices unlike HummingBad and can install any number of malicious or fraudulent apps on the victim's devices without overloading their smartphones.

Once the victim gets infected, the command and control (C&C) server send fake ads and malicious apps to the user, which runs in a VM, generating a fake referrer ID used to spoof unique users for ad fraud purposes and generate revenue.

Alike the original HummingBad, the purpose of HummingWhale is to make lots of money through ad fraud and fake app installations.

Besides all these malicious capabilities, the HummingWhale malware also tries to raise its reputation on Google Play Store using fraudulent ratings and comments, the tactic similar to the one utilized by the Gooligan malware.

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.