Android malware dubbed HummingBad made a recent return to Google Play via 20 infected apps that perform ad fraud.
Google has now removed the offending apps harboring a new variant of HummingBad, called HummingWhale, but not before they were downloaded several million times by Android users who thought they were installing camera, flashlight, porn, and utility apps.
According to security firm Check Point, HummingWhale is far better at carrying out ad fraud than its predecessor, HummingBad, which was discovered last year spreading on third-party app stores. HummingBad apps reached 10 million victims, rooting affected devices to support an ad fraud racket that earned its operators around $300,000 per month.
“It was probably only a matter of time before HummingBad evolved and made its way onto Google Play,” wrote Oran Koriat, a mobile security analyst at Check Point.
HummingWhale employs a few tricks, including inserting unwanted ads and hiding the original app after installation. It also posts fraudulent ratings on Google Play to boost ratings, in similar fashion to the recent Gooligan app outbreak. A new HummingWhale feature is the use of an Android plugin called DroidPlugin to upload fraudulent apps on a virtual machine within infected devices.
Once the infected app is installed, HummingWhale’s operators can deliver fake ads and apps to the user, however if the user tries to close the ad, the app is then moved to a virtual machine where it operates as if it were a real device, helping earn more fraudulent revenues. This design also disguised the malware’s fraudulent activity, allowing it bypass Google Play checks.
Check Point’s researchers believe HummingBad and HummingWhale are from the same developers due to common files and naming structures found in both variants, which were uploaded under bogus Chinese developer accounts.
“The most suspicious property of these apps was a 1.3MB encrypted file called ‘assets/group.png’ – a suspiciously large file. Some later HummingBad samples disguised as an app called “file-explorer” had the exact same encrypted file with a similar size. The new samples of HummingWhale also match several other traits and identifiers seen in previous samples, such as registering to certain events and some identical strings in their code and certificates,” wrote Koriat.
Additionally, the company found new HummingBad samples that were promoting the HummingWhale version of the malware.
“This new malware was also heavily packed and contained its main payload in the ‘group.png’ file, which is, in fact, an apk, meaning they can be run as executables,” added Koriat, noting the app was used to download and run additional apps.
CheckPoint last July pinned HummingBad activity on a Beijing headquartered advertising analytics firm called Yingmob. The company’s analysis found that most of the 10 million users who’d installed its bogus apps we're in China, India, the Philippines and Indonesia.
According to Google, the Play store’s ‘Dead or Insecure’ (DOI) scoring system actually does flag apps infected with Hummingbad, Gooligan, and another widespread piece of malware called GhostPush. In short, if an Android device stops checking in with Verify apps, it’s considered DOI. Google hones in on apps that are downloading to a lot of DOI devices.
“Although [these malware samples] behave differently, the DOI scorer flagged over 25,000 apps in these three families of malware because they can degrade the Android experience to such an extent that a non-negligible amount of users factory reset or abandon their devices. This approach provides us with another perspective to discover [potentially harmful apps] and block them before they gain popularity,” Google explained recently.