Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Mobile & Wireless

Millions Download HummingBad Variant via Google Play

A newly discovered variant of the HummingBad Android malware has been downloaded millions of times after infecting 20 applications in Google Play, Check Point security researchers warn.

A newly discovered variant of the HummingBad Android malware has been downloaded millions of times after infecting 20 applications in Google Play, Check Point security researchers warn.

Discovered in early 2016, HummingBad already proved one of the most prolific Android malware families out there, accounting for over 72% of attacks in the first half of the year.

In a report published last July, Check Point suggested that around 10 million Android devices might have been compromised by HummingBad and that its rootkit capabilities allowed attackers take full control over the infected devices. The researchers also said that Yingmob, the group behind the malware, might have compromised over 85 million devices.

Dubbed HummingWhale, the newly discovered variant is said to include cutting edge techniques that allow it to perform its nefarious activities (ad fraud) better than before.

While HummingBad was spreading mainly through third-party app stores, the HummingWhale variant made its way into Google Play and infected 20 apps, all of which have been already removed by Google. The main giveaway feature, the researchers say was a 1.3MB encrypted file called ‘assets/group.png’ also found in some later HummingBad samples that were masquerading as an app called “file-explorer.”

Offending apps were found to register several events on boot, such as TIME_TICK, SCREEN_OFF and INSTALL_REFERRER, as well as to feature a common name structure – com.XXXXXXX.camera (e.g. com.bird.sky.whale.camera, com.color.rainbow.camera, com.fishing.when.orangecamera). Apps outside of the camera family were also identified.

The HummingWhale samples were also observed registering to certain events and packing some identical strings in their code and certificates when compared to the previous HummingBad variants. HummingWhale was also observed being promoted by several new HummingBad samples, Check Point says.

The new malware variant, researchers say, is heavily packed and has its main payload in the ‘group.png’ file, which is actually an .apk that operates as a dropper. This executable file can download additional apps, a functionality observed in previous versions of HummingBad as well. The new dropper, however, uses the DroidPlugin Android plugin to upload fraudulent apps on a virtual machine.

Advertisement. Scroll to continue reading.

“First, the Command and Control server (C&C) provides fake ads and apps to the installed malware, which presents them to the user. Once the user tries to close the ad, the app, which was already downloaded by the malware, is uploaded to the virtual machine and run as if it is a real device. This action generates the fake referrer id, which the malware uses to generate revenues for the perpetrators,” the security researchers explain.

By using this method, the cybercriminals ensure that the malware installs apps without gaining elevated permissions first, and that the malicious activity is disguised, thus allowing the malware to infiltrate Google Play. What’s more, the embedded rootkit in the previous HummingBad variant is no longer needed, since the same results are achieved without it. On top of that, the malware can now install an infinite number of fraudulent apps without overloading the device.

“HummingWhale also conducted further malicious activities, like displaying illegitimate ads on a device, and hiding the original app after installation, a trait which was noticed by several users. As can be seen in the image below, HummingWhale also tries to raise its reputation in Google Play using fraudulent ratings and comments, similar to the Gooligan and CallJam malware before it,” the security researchers say.

Related: Android Malware Gang Makes $10,000 a Day: Report

Related: Millions of Android Phones Infected With “Hummer” Trojan

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Mobile & Wireless

Infonetics Research has shared excerpts from its Mobile Device Security Client Software market size and forecasts report, which tracks enterprise and consumer security client...

Mobile & Wireless

Samsung smartphone users warned about CVE-2023-21492, an ASLR bypass vulnerability exploited in the wild, likely by a spyware vendor.

Malware & Threats

Apple’s cat-and-mouse struggles with zero-day exploits on its flagship iOS platform is showing no signs of slowing down.

Fraud & Identity Theft

A team of researchers has demonstrated a new attack method that affects iPhone owners who use Apple Pay and Visa payment cards. The vulnerabilities...

Mobile & Wireless

Critical security flaws expose Samsung’s Exynos modems to “Internet-to-baseband remote code execution” attacks with no user interaction. Project Zero says an attacker only needs...

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Mobile & Wireless

Two vulnerabilities in Samsung’s Galaxy Store that could be exploited to install applications or execute JavaScript code by launching a web page.

Mobile & Wireless

Asus patched nine WiFi router security defects, including a highly critical 2018 vulnerability that exposes users to code execution attacks.