Android malware known as HummingBad, that infected as many as 10 million devices in 2016, has resurfaced with several new features allowing it to perform ad fraud even more efficiently than its predecessor.
Researchers said the variant, known as HummingWhale, was being distributed via 20 camera, music, flashlight and adult apps on Google Play. Google removed the apps after the issue was privately disclosed by Check Point two weeks ago.
“It was probably only a matter of time before HummingBad evolved and made its way onto Google Play again,” wrote Oren Koriat, mobile cyber security analyst with Check Point. He said the infected apps in this most recent campaign were downloaded several million times by unsuspecting users.
Researchers made the link between the two malware samples after they spotted a malicious app that shared many of the same HummingBad attributes. “It registered several events on boot, such as TIME_TICK, SCREEN_OFF and INSTALL_REFERRER which was dubious in that context,” Koriat wrote. More suspicions were confirmed when researchers observed similar strings in code and a 1.3 MB encrypted file called “assets/group.png” that was identical to a HummingBad file called “file-explorer.”
Check Point discovered HummingBad last February, and in July, published report identifying a group called Yingmob behind the malware. Yingmob was the side business of a legitimate Chinese advertising analytics firm. By the first half of 2016, HummingBad had grown so prevalent the malware represented 72 percent of mobile attacks, according to researchers, and was bringing in $300,000 a month.
HummingWhale infection rates don’t appear to match its predecessor, Check Point said. It estimates between two and 12 million devices were infected.
Once a victim downloads the malicious app, the APK operates as a dropper, downloading several additional apps, similar in function to HummingBad. “This dropper went much further. It uses an Android plugin called DroidPlugin, originally developed by Qihoo 360, to upload fraudulent apps on a virtual machine,” according to the researcher.
DroidPlugin is an application-level virtualization and proxy framework mostly used by Android developers to reduce APK sizes and run multiple instances of apps on the same device. In the case of HummingWhale, criminals use the DroidPlugin to generate fake referrer IDs and make money.
“First, the command and control server provides fake ads and apps to the installed malware, which presents them to the user. Once the user tries to close the ad, the app, which was already downloaded by the malware, is uploaded to the virtual machine and run as if it is a real device. This action generates the fake referrer ID, which the malware uses to generate revenue for the perpetrators,” Koriat wrote.
This technique allows for the installation of apps without the need for elevated permissions. It also cloaks the app’s malicious functions, making it difficult to be detected by Google Play’s scanners.
Other malicious activity includes displaying illegitimate ads on a device and hiding the original app after installation so it’s more difficult to uninstall. According to Check Point, the malware writers have also picked up a few malicious tricks from other malware.
“HummingWhale also tries to raise its reputation in Google Play using fraudulent ratings and comments, similar to the Gooligan and CallJam malware before it,” according to the report.