reader comments 26
Share this story
A virulent family of malware that infected more than 10 million Android devices last year has made a comeback, this time hiding inside Google Play apps that have been downloaded by as many as 12 million unsuspecting users.
HummingWhale, as the professionally developed malware has been dubbed, is a variant of HummingBad, the name given to a family of malicious apps researchers documented in July invading non-Google app markets. HummingBad attempted to override security protections by exploiting unpatched vulnerabilities that gave the malware root privileges in older versions of Android. Before Google shut it down, it installed more than 50,000 fraudulent apps each day, displayed 20 million malicious advertisements, and generated more than $300,000 per month in revenue. Of the 10 million people who downloaded HummingBad-contaminated apps, an estimated 286,000 of them were located in the US.
HummingWhale, by contrast, managed to sneak its way into about 20 Google Play apps that were downloaded from 2 million to 12 million times, according to researchers from Check Point, the security company that has been closely following the malware family for almost a year. Rather than rooting devices, the latest variant includes new virtual machine techniques that allow the malware to perform ad fraud better than ever, company researchers said in a blog post published Monday.
“Users must realize that they can no longer trust in installing only apps with a high reputation from official app stores as their sole defense,” the researchers wrote in an e-mail to Ars. “This malware employs several tactics to keep its activity hidden, meaning users might be unaware of its existence on their device.”
As was the case with HummingBad, the purpose of HummingWhale is to generate revenue by displaying fraudulent ads and automatically installing apps. When users try to close the ads, the new functionality causes already downloaded apps to run in a virtual machine. That creates a fake ID that allows the perpetrators to generate referral revenues. Use of the virtual machine brings many technical benefits to the operators, chief among them allowing the malware to install apps without requiring users to approve a list of elevated permissions.
The VM also disguises the malicious activity, making it easier for the apps to infiltrate Google Play. It has the added benefit of installing a nearly unlimited number of fraudulent apps without overloading the infected device. Until now, Android malware that wanted advanced capabilities typically had to trick users into approving sometimes scary-sounding permissions or exploit rooting vulnerabilities.
Ginning the ratings
To implement the VM feature, the malicious APK installation dropper used by HummingWhale uses DroidPlugin, an existing Android plugin for uploading fraudulent ads to VMs. It originally was developed by a rival group of developers known as Qihoo 360, Check Point said. HummingWhale has also been observed hiding the original malicious app once it’s installed and trying to improve its Google Play reputation by automatically generating posts disguised as positive user comments and ratings. Gooligan, a family of Android malware that came to light in November after it compromised more than 1 million Google accounts, contained similar abilities to tamper with Google Play ratings.
People who want to know if their Android devices are infected can download the Check Point app here. A separate app from Check Point competitor Lookout also detects the threat as a variant of the Shedun malware family. More technically inclined people can detect infections by seeing if a device connects to a control server located at app.blinkingcamera.com. Package names for infected apps typically contain a common naming structure that includes com.XXXXXXXXX.camera, for example com.bird.sky.whale.camera (app name: Whale Camera), com.color.rainbow.camera (Rainbow Camera), and com.fishing.when.orangecamera (Orange Camera).
Google officials removed the malicious apps from the Play market after receiving a private report of their existence. A company representative declined to comment for this post.