HummingBad malware returns in new, more annoying variant
Is it a bird? Is it a plane? No, it's a HUMMINGWHALE
The HummingBad malware first discovered in February 2016 is making a return visit to the charts.
The original was cleaned up, but not before the malware's authors Yingmob racked up around US$300,000 per month at its peak.
Check Point Software Technologies says it's spotted the return version, which it's dubbed HummingWhale, adding the authors have added better ad fraud capabilities to the code.
HummingWhale is tricky: if a user notices and closes its process, it then drops itself into a virtual machine to make it harder to detect.
HummingWhale raised Check Point's red flags when apps published under the names of “fake Chinese developers” showed dubious startup behaviours: “It registered several events on boot, such as TIME_TICK, SCREEN_OFF and INSTALL_REFERRER which [were] dubious in that context.”
The dodgy apps also carried an encrypted 1.3 MB file, the main payload, which presents as if its an image (it's called
group.png), but is an executable <code.>apk file.
“This .apk operates as a dropper, used to download and execute additional apps, similar to the tactics employed by previous versions of HummingBad. However, this dropper went much further. It uses an Android plugin called DroidPlugin, originally developed by Qihoo 360, to upload fraudulent apps on a virtual machine.”
When a user is infected, the command and control sends the user fake ads and apps to the user. The app, running in a virtual machine, generates a fake referrer ID that hits ads to generate the 'net scum's revenue.
Check Point notes the HummingWhale can get apps running without having to get elevated permissions, and disguises its malice to get onto Google Play.
Unlike the original HummingBad, it runs without having to root the victim's phone, and its use of virtual machines means it can install lots of fraudulent apps without overloading the target.
“HummingWhale also tries to raise its reputation in Google Play using fraudulent ratings and comments, similar to the Gooligan and CallJam malware before it”, the post concludes.
Check Point says it spotted HummingWhale in more than 20 apps, which have since been removed from Google Play. ®