Remember HummingBad? It’s an “old” malware from early-to-mid 2016, which was discovered and addressed at the time. However, it looks like it wasn’t killed, and a version of it called HummingWhale has been found in the Google Play store, inside over 20 apps that were downloaded several million times by unsuspecting users.
HummingWhale comes with “cutting edge techniques” that let it perform fraud better than before, Check Point says. That’s the same group that identified the first strain of the malware, which affected more than 10 million users last year.
Check Point also discovered its creators and concluded that the malware was able to generate some $300,000 per month from fraudulent advertising. That’s right, this malware doesn’t steal sensitive data from you. Instead, it hijacks ad views for profit.
The new Google Play apps seem to be camera-related apps uploaded under names of fake Chinese developers. Each of these apps has an encrypted file that’s “suspiciously large.”
The malware can be used to download and execute other apps. Moreover, the app can use an Android plugin to upload fraudulent apps on a virtual machine.
“First, the Command and Control server (C&C) provides fake ads and apps to the installed malware, which presents them to the user,” Check Point writes. “Once the user tries to close the ad, the app, which was already downloaded by the malware, is uploaded to the virtual machine and run as if it is a real device. This action generates the fake referrer id, which the malware uses to generate revenues for the perpetrators.”
The malware is more sophisticated than its predecessor in many ways. It can install apps without getting elevated permissions, and it can install an infinite number of fraudulent apps without actually overloading the device. That means the user would not even notice that something is wrong.
Additionally. HumingWhale also tries to increase its Google Play reputation using fraudulent comments and ratings.
Check Point told BGR that it informed Google About these new malware apps, which were removed from Google Play.
This is how you check if your phone or tablet was infected with a HummingBad strain, although the tools might not necessarily detect HummingWhale as well.