Check Point’s mobile security researchers have found a new variant of the ‘HummingBad’ malware, hidden in more than 20 apps on Google Play. The infected apps in this new campaign were downloaded several million times by unsuspecting users. Check Point has informed the Google Security team about the apps, which have been removed from Google Play.
This new variant, called ‘HummingWhale,’ includes new, cutting edge techniques that extend the capabilities of the original Hummingbad malware, and allow it to perform advertisement click fraud more effectively and stealthily than before from infected apps on Google Play.
Check Point researchers found the new malware when analyzing a suspicious app. The new app contained identifiers seen in previous HummingBad samples. However, the new malware goes further, using an Android plugin called DroidPlugin, developed by Qihoo 360, to upload fraudulent apps on a virtual machine. This allows the app to be uploaded to a virtual machine on the user’s device, and run as if it is a real device. This action generates a fake ID, which the malware then uses to generate ad click revenues for the perpetrators. This method has several advantages:
- It allows the malware to install apps without gaining elevated permissions first.
- It disguises the malicious activity, which allows it to infiltrate Google Play.
- It allows the malware to let go of its embedded rootkit since it can achieve the same effect even without rooting the device.
- It can install an infinite number of fraudulent apps without overloading the device.
HummingWhale also conducts further malicious activities, like displaying illegitimate ads on a device, and hiding the original app after installation. HummingWhale also tries to raise its reputation in Google Play using fraudulent ratings and comments, similar to the Gooligan and CallJam malware.
HummingBad is malware first discovered by Check Point on customers’ devices in February 2016. HummingBad stands out as an extremely sophisticated and well-developed malware variant, which employed a rootkit to gain full control over infected devices. Later, in July 2016, Check Point unraveled the entire infrastructure behind the malware’s activities, and identified Yingmob, the group behind the campaign. The malware was spread through third-party app stores and affected over 10 million victims, generating $300,000 per month. HummingBad was so widespread that in the first half of 2016 it reached fourth place in ‘the most prevalent malware globally’ list, and dominated the mobile threat landscape with over 72% of attacks.
This is a prime example of malware developers learning from each other, as tactics that were introduced by one of them are quickly adopted by others. The fraudulent ratings left by such malware is another reminder that users cannot rely on Google Play’s app vetting process for protection, and must apply further, more advanced means of security.
Full details are at: http://blog.checkpoint.com/2017/01/23/hummingbad-returns/