New Variant of HummingBad malware found inside more than 20 apps on Google play infects millions
Researchers from Checkpoint have discovered a dubbed HummingWhale Android malware, Hummingbad was found inside more than 20 Google play apps. One of the apps inside Google play with Hummingbad infection appears to have been downloaded more than a millions times which had a good rating.
The new variant of Hummingbad is very sophisticated, uses chain-attack tactic and a rootkit to gain full control over the infected device.
Earlier variant of HummingBad that was discovered by Checkpoint during the first half of 2016 bagged the 4th place in ‘the most prevalent malware globally’ list with over 72% of attacks.
HummingWhale malware first raised suspicions when Check Point researchers analyzed one of the apps. It registered several events on boot, such as TIME_TICK, SCREEN_OFF and INSTALL_REFERRER which was dubious in that context. Code similarity inspection revealed that this was only one app out of a series of apps with a common name structure – com.XXXXXXX.camera (e.g. com.bird.sky.whale.camera, com.color.rainbow.camera, com.fishing.when.orangecamera). as stated by Checkpoint
The apps were uploaded under fake Chinese developers and the actual developer is unknown. Researchers at checkpoint were able to identify sixteen additional distinct package names. The suspicious apps had 1.3MB encrypted file ‘assets/group.png’ and some disguised as “file-explorer”. Identical strings and certificates were found with new samples of HummingWhales.
This new malware is an apk which can run as executables. This .apk acts as a dropper, used to download and execute additional apps, similar to the tactics employed by previous versions of HummingBad. However, this dropper went much further. It uses an Android plugin called DroidPlugin, originally developed by Qihoo 360, to upload fraudulent apps on a virtual machine.
The infected device provides a fake login screen to the user. As soon the user tries to close the ad, the downloaded app runs in a virtual machine and shows as real. The malware app uses this for ad monetization.
More is available at Checkpoint
The first Android banker malware (Android.BankBot.149.origin) of 2017 is already out and its source code is put on the web. This Android malware can steal users banking information and send it to CnC servers. The source code available on the web also means more variants of this malware will be seen in the wild very […] Continue reading →
As security controls and defense measures for computer systems become more sophisticated, cyber criminals have taken one step ahead in the world of Ransomware. The most profitable ransomware attacks has taken a leap with doxing. What is Doxware ? “Ransomware is the art of encrypting data on a network, users PC or Mac and asking for […] Continue reading →
Security researchers from Malwarebytes have identified strange traffic originating from a Mac. The unusual traffic was identified by IT admins when investigated led to espionage malware describes as Quimitchin. (Apple calls this as ‘Fruitfly’) The malware appears to have been existed for a while and undetected for quite a long time. One of the timestamp […] Continue reading →
Researchers from Checkpoint have identified that a dubbed malware Gooligan has infected more than 1.3 million Android users globally. Android targeted malware campaign infects devices and steals authentication tokens which is then used to access data from Google apps such as Google play, Gmail, google photos google docs, google drive and many others. The malware […] Continue reading →
During the month of August, motherboard one of prominent online magazine released a report that more than 60 million account details were stolen from the cloud storage provider Dropbox. However now approx. 68 million Dropbox accounts are available to download by anyone.( Exact number as publish on ibtimes :68,680,741 accounts) During the month of September, […] Continue reading →
Last week KrebsOnSecurity.com was targeted by massive 620Gbps DDoS (Distributed Denial of Service Attack) and Kerbs had to take his site down for days. The decision of taking the site down was made after Akamai (aka Prolexic) decides that the pro bono service they were offering was costing them and their customers in millions and […] Continue reading →
It was long due before Facebook made its move to share data between Whatsup app and Facebook after the acquisition. Facebook is known to invade its users privacy with a claim of openness by its CEO Mark Zuckerburg and it did it again last week to monetize as much as possible with a decision to […] Continue reading →