HummingBad malware is back and more powerful than ever, researchers said.
HummingBad last year infected 10 million Android phones around the world after the software took root in phones, collected personal data and made it act like they were clicking on ads. The malware spread through third-party app stores, and it reached so many devices it became the fourth most prevalent malware globally. It did not infiltrate the Google Play store.
The new version, which Check Point Software Technologies researchers called HummingWhale, has improved add fraud capabilities in its code. If the user spots the app and goes on to close the process, HummingWhale goes under and turns into a virtual machine.
HummingWhale started to attract attention when apps published under the names of several fake Chinese developers showed behavior that wasn’t normal at startup. “It registered several events on boot, such as TIME_TICK, SCREEN_OFF and INSTALL_REFERRER which [were] dubious in that context,” Check Point researchers said in a blog post. They also carried an encrypted file of 1.3 MB posing as an image but acting as an executable app file.
“This .apk operates as a dropper, used to download and execute additional apps, similar to the tactics employed by previous versions of HummingBad. However, this dropper went much further. It uses an Android plugin called DroidPlugin, originally developed by Qihoo 360, to upload fraudulent apps on a virtual machine,” the company said.
Once a phone ends up infected, the user gets fake ads and apps. The app, running in a virtual machine, then generates a fake referrer ID hitting ads all over the web in order to generate ad revenue.
While similar, HummingWhale does step up its sophistication. HummingWhale can push apps to run without having high permissions set by the user. It also runs without having to root the phone, while turning into a virtual machine makes it possible for it to install a lot of fraudulent apps without the target even noticing.