Security Market Segment LS
Wednesday, 25 January 2017 11:11

HummingBad morphs into HummingWhale

By

Check Point has found a new variant of the HummingBad malware hidden in more than 20 apps on Google Play. Before removal, the infected apps were downloaded several million times by unsuspecting users.

Check Point found this new variant, dubbed ‘HummingWhale,’ includes new, cutting-edge techniques that allow it to perform ad fraud better than before.

HummingBad originally spread via third-party app stores and in the first half of 2016 it reached fourth place in "the most prevalent malware globally" list and dominated the mobile threat landscape with over 72% of attacks.

All of the infected apps were uploaded to Google Play under the names of fake Chinese developers. In addition to the “Whale camera family”, there were 16 additional, distinct package names related to the same malware.

HummingWhale is “heavily packed” to avoid Google Play detection and its main payload is in the “group.png” image file, which is, in fact, an .apk, meaning it is an Android executable.

The .apk operates as a dropper that goes much further than HummingBad. It uses an Android plugin called DroidPlugin, originally developed by Qihoo 360, to upload fraudulent apps on a virtual machine. The Command and Control server provides fake ads and apps to the installed malware, which presents them to the user.

Once the user tries to close the ad, the app, which was already downloaded by the malware, is uploaded to the virtual machine and run as if it is a real device. This action generates the fake referrer id, which the malware uses to generate revenue for the perpetrators.

This method has several advantages:

  • It allows the malware to install apps without gaining elevated permissions first.
  • It disguises the malicious activity, which allows it to infiltrate Google Play.
  • It allows the malware to let go of its embedded rootkit since it can achieve the same effect even without it.
  • It can install an infinite number of fraudulent apps without overloading the device.

It is adware that makes money from hijacking devices and viewing ads that generate click revenue. Most of the infected apps are camera apps and a full list can be found here.

BUSINESS WORKS BETTER WITH WINDOWS 1O. MAKE THE SHIFT

You cannot afford to miss this Dell Webinar.

With Windows 7 support ending 14th January 2020, its time to start looking at your options.

This can have significant impacts on your organisation but also presents organisations with an opportunity to fundamentally rethink the way users work.

The Details

When: Thursday, September 26, 2019
Presenter: Dell Technologies
Location: Your Computer

Timezones

QLD, VIC, NSW, ACT & TAS: 11:00 am
SA, NT: 10:30 am
WA: 9:00 am NZ: 1:00 pm

Register and find out all the details you need to know below.

REGISTER!

ADVERTISE ON ITWIRE NEWS SITE & NEWSLETTER

iTWire can help you promote your company, services, and products.

Get more LEADS & MORE SALES

Advertise on the iTWire News Site / Website

Advertise in the iTWire UPDATE / Newsletter

Promote your message via iTWire Sponsored Content/News

Guest Opinion for Home Page exposure

Contact Andrew on 0412 390 000 or email [email protected]

OR CLICK HERE!

Ray Shaw

joomla stats

Ray Shaw [email protected]  has a passion for IT ever since building his first computer in 1980. He is a qualified journalist, hosted a consumer IT based radio program on ABC radio for 10 years, has developed world leading software for the events industry and is smart enough to no longer own a retail computer store!

VENDOR NEWS & EVENTS

REVIEWS

Recent Comments