Remember Hummingbad? Yes, the Android malware that secretly rooted the customers by launching a chain attack gaining complete control over the infected device. It was only in last year that Checkpoint blog had shed light on how the malware operated and also the infrastructural aspects. The bad news is that the malware has raised its ugly head yet again and this time around it has manifested itself into a new variant called the “HummingWhale” As expected the latest version of the malware is stronger and is expected to create more chaos than its predecessor all the while retaining its ad fraud DNA.
The malware had initially spread via third party apps and is said to have affected more than 10 million phones, rooting thousands of devices every day and generating money to the tunes of $300,000 every month. Security researchers have unearthed that the new variant of the malware is seeking refuge in more than 20 Android apps on the Google Play Store and the apps are already downloaded by over 12 Million. Google has already acted upon the reports and has removed the apps from the Play Store.
Furthermore, Check Point researchers have revealed that the HummingWhale infected apps were published with the help of a Chinese developer alias and was associated with suspicious startup behavior.
HummingBad Vs HummingWhale
The first question that pops into anyone’s head is how sophisticated is HummingWhale as opposed to HummingBad. Well to be honest despite sharing the same DNA the modus operandi is pretty different. HummingWhale users an APK to deliver its payload and the in case the victim makes note of the process and tries to close the app, the APK file is dropped into a virtual machine thus making it nearly impossible to detect.
“This .apk operates as a dropper, used to download and execute additional apps, similar to the tactics employed by previous versions of HummingBad. However, this dropper went much further. It uses an Android plugin called DroidPlugin, originally developed by Qihoo 360, to upload fraudulent apps on a virtual machine.”-Checkpoint
HummingWhale doesn’t need to root the devices and works via the Virtual Machine. This allows the malware to initiate any number of fraudulent installations on the infected device without actually showing up anywhere. The ad fraud is carried over by the command and control (C&C) server that sends fake ads and apps to the users which in turn run on VM and depend on fake referrer ID to trick users and generate ad revenues. The only word of caution is to ensure that you download apps from the reputed developers and scan for signs of fraud.