Security News HummingWhale Breaches the Surface of Google Play

Exterminator

Exterminator

Level 85
Thread author
Verified
Top Poster
Well-known
Oct 23, 2012
12,527
HummingWhale, a new variant of the HummingBad malware, has been found hiding in more than 20 apps on Google Play. It includes new, cutting-edge techniques that allow it to perform ad fraud better than ever before.

According to Check Point researchers, the infected apps were downloaded several million times by unsuspecting users before the Google Security team removed them from Google Play.

HummingWhale’s command and control server (C&C) provides fake ads and apps to the installed malware, which presents them to the user. Once the user tries to close the ad, the app, which was already downloaded by the malware, is uploaded to the virtual machine and runs as if it is a real device. This action generates the fake referrer ID, which the malware uses to generate revenues for the perpetrators.

HummingWhale also conducts further malicious activities, like displaying illegitimate ads on a device, and hiding the original app after installation, a trait which was noticed by several users. HummingWhale also tries to raise its reputation in Google Play using fraudulent ratings and comments, similar to the Gooligan and CallJam malware before it.

HummingBad was first discovered by Check Point last February, using a chain-attack tactic and a rootkit to gain full control over an infected device. China’s Yingmob was later identified as the group behind the campaign. Over the first half of 2016 it reached fourth place in ‘the most prevalent malware globally’ list, and dominated the mobile threat landscape with over 72% of attacks. In all, it affected over 10 million victims, rooting thousands of devices each day and generating at least $300,000 per month.

HummingWhale shares much DNA with the original HummingBad, including a 1.3MB, suspiciously large, encrypted file called ‘assets/group.png’ – a. The new samples of HummingWhale also match several other traits and identifiers seen in previous samples, such as registering to certain events and some identical strings in their code and certificates.

“It was probably only a matter of time before HummingBad evolved and made its way onto Google Play again,” said Check Point researchers, in a posting. “It allows the malware to install apps without gaining elevated permissions first, then disguises the malicious activity, which allows it to infiltrate Google Play. It also allows the malware to let go of its embedded rootkit since it can achieve the same effect even without it. It can install an infinite number of fraudulent apps without overloading the device.”
Click to expand...
 
  • Like
Reactions: Solarquest and Sr. Normal 2.0
You must log in or register to reply here.

Similar threads

Gandalf_The_Grey
    • Like
    • Wow
    • +Reputation
Malware News Over 200 malicious apps on Google Play downloaded millions of times
Replies
1
Views
1,185
Security News
Digmor Crusher
Digmor Crusher
Gandalf_The_Grey
    • Wow
    • Like
    • Sad
Google removes Kaspersky's antivirus software from Play Store
Replies
17
Views
1,304
Kaspersky
harlan4096
harlan4096
silversurfer
    • Like
New Update The Google Play Store now lets you download or update three apps simultaneously
Replies
1
Views
201
Android & WearOS
Bot
Bot

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top