New HummingWhale Android Malware Emerges in Google Play

A new version of the nasty HummingBad malware that hit millions of Android users last year has appeared in a number of malicious apps in the Google Play store recently as part of a new ad fraud campaign.
The new malware is known as HummingWhale and includes a new set of functionality that allows it to avoid using a rootkit to install additional apps after the initial download. The attackers behind this campaign are using a virtual machine to load fraudulent apps and generate referrer IDs as part of the ad fraud campaign. That allows them to create as many fake referrer IDs as they want, generating more revenue for the attackers.
Researchers at Check Point discovered the HummingWhale malware implanted in several apps in the Google Play app store that had been uploaded by fake developers in China. Many of the apps are presented as camera apps and they include a huge encrypted file called group.png.
“In addition, we identified several new HummingBad samples which operate as the previous version did and begun to promote the new HummingWhale version as part of their activity. This new malware was also heavily packed and contained its main payload in the ‘group.png’ file, which is, in fact, an apk, meaning they can be run as executables,” Oren Koriat, a mobile security analyst at Check Point, wrote in an analysis of the malware.
“This .apk operates as a dropper, used to download and execute additional apps, similar to the tactics employed by previous versions of HummingBad. However, this dropper went much further. It uses an Android plugin called DroidPlugin, originally developed by Qihoo 360, to upload fraudulent apps on a virtual machine.”
Once that’s done, the malware begins taking instructions from a remote server controlled by the attackers.
“First, the Command and Control server (C&C) provides fake ads and apps to the installed malware, which presents them to the user. Once the user tries to close the ad, the app, which was already downloaded by the malware, is uploaded to the virtual machine and run as if it is a real device. This action generates the fake referrer id, which the malware uses to generate revenues for the perpetrators,” Koriat said.
HummingWhale is the latest entry in the expanding field of ad-fraud related malware to hit Android devices. Last last year, Check Point also discovered the Gooligan malware in a number of third-party app stores. That family has similar ambitions as HummingWhale, installing other apps and generating fake clicks to earn money for the attackers.