New Variant of HummingBad malware found inside more than 20 apps on Google play infects millions
Researchers from Checkpoint have discovered a dubbed HummingWhale Android malware, Hummingbad was found inside more than 20 Google play apps. One of the apps inside Google play with Hummingbad infection appears to have been downloaded more than a millions times which had a good rating.
The new variant of Hummingbad is very sophisticated, uses chain-attack tactic and a rootkit to gain full control over the infected device.
Earlier variant of HummingBad that was discovered by Checkpoint during the first half of 2016 bagged the 4th place in ‘the most prevalent malware globally’ list with over 72% of attacks.
HummingWhale malware first raised suspicions when Check Point researchers analyzed one of the apps. It registered several events on boot, such as TIME_TICK, SCREEN_OFF and INSTALL_REFERRER which was dubious in that context. Code similarity inspection revealed that this was only one app out of a series of apps with a common name structure – com.XXXXXXX.camera (e.g. com.bird.sky.whale.camera, com.color.rainbow.camera, com.fishing.when.orangecamera). as stated by Checkpoint
The apps were uploaded under fake Chinese developers and the actual developer is unknown. Researchers at checkpoint were able to identify sixteen additional distinct package names. The suspicious apps had 1.3MB encrypted file ‘assets/group.png’ and some disguised as “file-explorer”. Identical strings and certificates were found with new samples of HummingWhales.
This new malware is an apk which can run as executables. This .apk acts as a dropper, used to download and execute additional apps, similar to the tactics employed by previous versions of HummingBad. However, this dropper went much further. It uses an Android plugin called DroidPlugin, originally developed by Qihoo 360, to upload fraudulent apps on a virtual machine.
The infected device provides a fake login screen to the user. As soon the user tries to close the ad, the downloaded app runs in a virtual machine and shows as real. The malware app uses this for ad monetization.
More is available at Checkpoint