Check Point found this new variant, dubbed ‘HummingWhale,’ includes new, cutting-edge techniques that allow it to perform ad fraud better than before.
HummingBad originally spread via third-party app stores and in the first half of 2016 it reached fourth place in "the most prevalent malware globally" list and dominated the mobile threat landscape with over 72% of attacks.
All of the infected apps were uploaded to Google Play under the names of fake Chinese developers. In addition to the “Whale camera family”, there were 16 additional, distinct package names related to the same malware.
HummingWhale is “heavily packed” to avoid Google Play detection and its main payload is in the “group.png” image file, which is, in fact, an .apk, meaning it is an Android executable.
The .apk operates as a dropper that goes much further than HummingBad. It uses an Android plugin called DroidPlugin, originally developed by Qihoo 360, to upload fraudulent apps on a virtual machine. The Command and Control server provides fake ads and apps to the installed malware, which presents them to the user.
Once the user tries to close the ad, the app, which was already downloaded by the malware, is uploaded to the virtual machine and run as if it is a real device. This action generates the fake referrer id, which the malware uses to generate revenue for the perpetrators.
This method has several advantages:
- It allows the malware to install apps without gaining elevated permissions first.
- It disguises the malicious activity, which allows it to infiltrate Google Play.
- It allows the malware to let go of its embedded rootkit since it can achieve the same effect even without it.
- It can install an infinite number of fraudulent apps without overloading the device.
It is adware that makes money from hijacking devices and viewing ads that generate click revenue. Most of the infected apps are camera apps and a full list can be found here.