CheckPoint security firm has detected a presence of the notorious HummingWhale malware in 20 Android apps, which are quite commonly used by Android users since these have been downloaded millions of times (approx. 2 to 12 million).
According to the analysis of CheckPoint, back in 2016, there was a version of HummingWhale malware called HummingBad that was found in official apps available on Google Play Store that managed to affect 10 million or more devices. In that case, Yingmob, a Chinese hacker group, was claimed to be responsible for it.
CheckPoint noted that HummingBad was also a “sophisticated and well-developed malware” that employed a rootkit and chain-attack tactic to acquire complete control over the infected phone/device. It targeted non-Google apps and exploited unpatched vulnerabilities and security flaws that provided it root privileges on devices running on older Android OS versions. Google eventually shut it down, but by then HummingBad was installed in over 50,000 apps as it was infecting apps on a daily basis. It displayed 20 million malicious ads and helped the attackers make $300,000 per month as revenues. Out of the 10 million users who downloaded apps infected with HummingBad, around 286,000 were located in the US.
HummingWhale is different from HummingBad regarding impact and severity. It is much more sophisticated than HummingBad and launches different fake apps and ads after gaining control of the device. It also controls its command and control center to virtually kill the device it inhabits. It has so far affected 20 apps on the Google Play Store. Unlike previous version HummingBad, HummingWhale doesn’t root devices but includes virtual machine tactics that let the malware perform ad fraud more convincingly.
Just like HummingBad, the latest variant is also launched to generate revenue by showing fake ads and installing apps automatically. Whenever a user tries to close the ads, the new tactics included in the malware allows the downloaded apps to run in the virtual machine after the creation of a fake ID that lets attackers make money through referrals. HummingWhale uses VM feature, which is implemented through the malicious APK installation dropper called DroidPlugin. DroidPlugin is an extension developed by Chinese firm Qihoo 360.
Quite contrary to previous versions which created havoc and affected many devices, the current problem is under control already since Google has gotten rid of the infected apps. CheckPoint’s security researchers believe that it is unlikely that the same Chinese gang is behind this recent wave of attacks involving HummingWhale. However, the company has stated that there are sharp resemblances between the previous malware attacks and the latest one with relation to the methods, strategies and tactics used to attack devices.
CheckPoint suspects that the reason could be that malware developers are learning from each other. The firm also stated that it is evident that users cannot trust apps available on legitimate platforms like Google Play Store.
The fraudulent ratings left by such malware is another reminder that users cannot rely on Google Play for protection, and must apply further, more advanced means of security,” explained CheckPoint.