Security Experts:

Connect with us

Hi, what are you looking for?


Mobile & Wireless

Millions Download HummingBad Variant via Google Play

A newly discovered variant of the HummingBad Android malware has been downloaded millions of times after infecting 20 applications in Google Play, Check Point security researchers warn.

A newly discovered variant of the HummingBad Android malware has been downloaded millions of times after infecting 20 applications in Google Play, Check Point security researchers warn.

Discovered in early 2016, HummingBad already proved one of the most prolific Android malware families out there, accounting for over 72% of attacks in the first half of the year.

In a report published last July, Check Point suggested that around 10 million Android devices might have been compromised by HummingBad and that its rootkit capabilities allowed attackers take full control over the infected devices. The researchers also said that Yingmob, the group behind the malware, might have compromised over 85 million devices.

Dubbed HummingWhale, the newly discovered variant is said to include cutting edge techniques that allow it to perform its nefarious activities (ad fraud) better than before.

While HummingBad was spreading mainly through third-party app stores, the HummingWhale variant made its way into Google Play and infected 20 apps, all of which have been already removed by Google. The main giveaway feature, the researchers say was a 1.3MB encrypted file called ‘assets/group.png’ also found in some later HummingBad samples that were masquerading as an app called “file-explorer.”

Offending apps were found to register several events on boot, such as TIME_TICK, SCREEN_OFF and INSTALL_REFERRER, as well as to feature a common name structure – (e.g.,, Apps outside of the camera family were also identified.

The HummingWhale samples were also observed registering to certain events and packing some identical strings in their code and certificates when compared to the previous HummingBad variants. HummingWhale was also observed being promoted by several new HummingBad samples, Check Point says.

The new malware variant, researchers say, is heavily packed and has its main payload in the ‘group.png’ file, which is actually an .apk that operates as a dropper. This executable file can download additional apps, a functionality observed in previous versions of HummingBad as well. The new dropper, however, uses the DroidPlugin Android plugin to upload fraudulent apps on a virtual machine.

“First, the Command and Control server (C&C) provides fake ads and apps to the installed malware, which presents them to the user. Once the user tries to close the ad, the app, which was already downloaded by the malware, is uploaded to the virtual machine and run as if it is a real device. This action generates the fake referrer id, which the malware uses to generate revenues for the perpetrators,” the security researchers explain.

By using this method, the cybercriminals ensure that the malware installs apps without gaining elevated permissions first, and that the malicious activity is disguised, thus allowing the malware to infiltrate Google Play. What’s more, the embedded rootkit in the previous HummingBad variant is no longer needed, since the same results are achieved without it. On top of that, the malware can now install an infinite number of fraudulent apps without overloading the device.

“HummingWhale also conducted further malicious activities, like displaying illegitimate ads on a device, and hiding the original app after installation, a trait which was noticed by several users. As can be seen in the image below, HummingWhale also tries to raise its reputation in Google Play using fraudulent ratings and comments, similar to the Gooligan and CallJam malware before it,” the security researchers say.

Related: Android Malware Gang Makes $10,000 a Day: Report

Related: Millions of Android Phones Infected With “Hummer” Trojan

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Expert Insights

Related Content

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.

Mobile & Wireless

Two vulnerabilities in Samsung’s Galaxy Store that could be exploited to install applications or execute JavaScript code by launching a web page.


A digital ad fraud scheme dubbed "VastFlux" spoofed over 1,700 apps and peaked at 12 billion ad requests per day before being shut down.

Mobile & Wireless

South Dakota Gov. Kristi Noem says her personal cell phone was hacked and linked it to the release of documents by the January 6...

Mobile & Wireless

Infonetics Research has shared excerpts from its Mobile Device Security Client Software market size and forecasts report, which tracks enterprise and consumer security client...

Mobile & Wireless

Chinese tech giant Huawei patched nearly 300 vulnerabilities in its HarmonyOS operating system in 2022.