HummingBad mobile malware

HummingBad, an Android malware estimated to have touched over 85 million devices worldwide, was recently found in 46 new applications, 20 of which had even made their way into the official Play Store, passing Google's security checks.

In terms of Android malware, HummingBad is the biggest player active today, accounting for 72% of all mobile infections, according to Israeli security firm Check Point.

The large number of infections has also garnered HummingBad a place on the top 10 list of currently active malware families in the past few months.

HummingBad creators earning an estimated $300,000 per month

HummingBad is barely a year old, being first detected in February 2016. The malware is used to download other apps on compromised devices or click on ads to generate profits for the malware owners.

A Check Point report released in July 2016 has identified Yingmob, an advertising company based in Chongqing, China, as the main suspect behind both HummingBad (Android) and YiSpecter (iOS) malware families.

According to Check Point, at that point, the HummingBad malware was found in over 200 apps, generating an estimated revenue of $300,000 per month for its creators.

New HummingBad version discovered

Researchers say that the 20 apps they recently discovered contained a new version of HummingBad, which they nicknamed HummingWhale due to the massive changes in its mode of operation.

The biggest change is that HummingWhale appears to have dropped the rootkit component that allowed it to forcibly download unwanted apps on infected devices.

This module appears to have been replaced by DroidPlugin, a plugin initially developed by Qihoo 360 for running virtual machines on Android devices.

HummingWhale works by showing unwanted ads to its victims, but when users move in to close the ad, the malware opens a virtual machine and installs the advertised app inside it.

This way HummingBad authors earn revenue in pay-per-install affiliate programs and install as many apps on infected devices without polluting the device's application list.

But the VM component also makes it harder for security apps to spot HummingWhale's malicious behavior, and for Google's security checks to detect malicious apps before they reach the Play Store

HummingWhale also rates and comments on Play Store apps

Furthermore, HummingWhale gained another feature, which was the ability to post reviews and ratings on the Google Play Store on behalf of infected users, a tactic used to earn an extra revenue or give a boost to other malicious apps.

This type of activity was first spotted with malware families such as Gooligan or CallJam and was not something native to the original HummingBad codebase.

Following HummingWhale's discovery, Google has removed the infected apps. A list of all app package names that were found to contain HummingWhale is available below. These are apps spread through the Google Play Store, but also other third-party stores. – Whale Camera
    com.op.blinkingcamera – Blinking Camera – Orange Camera – Ocean camera
    io.zhuozhuo.snail.android_snails -蜗牛手游加速器-专业的vpn,解决手游卡顿延迟问题 – HiPorn – Cleaner: Safe and Fast – Fast Cleaner – Deep Cleaner –             Rainbow Camera – com.qti.atfwd.core
    com.wall.good.clevercamera – Clever Camera – Hot Cleaner – SmartAlbums
    com.tree.tiny.cleaner – Tiny Cleaner – Topspeed Test2 – Orange Camera – FlappyCat
    com.just.parrot.album – com.qti.atfwd.core
    com.ogteam.elephanta.album – Elephant Album
    gorer – File Explorer – Swan Camera – Smile Camera
    com.air.cra.wars – com.qti.atfwd.core – Wow Camera-Beauty,Collage,Edit
    com.start.super.speedtest – com.qti.atfwd.core – Shell Camera
    com.ogteam.birds.album – com.qti.atfwd.core
    com.tec.file.master – File Master – Whale Camera – HiPorn – Coco Camera – file explorer – Sweet Camera – Blinking Camera – Art camera – Ice Camera – Hot Camera
    com.more.light.vpn – Light VPN-Fast, Safe,Free – Beauty Camera
    com.bunny.h5game.parkour – Easter Rush Happy Camera – com.qti.atfwd.core – Clever Camera – Clever Camera

Related Articles:

Google Updates File Signature Checks for Android Apps

Android App Devs Find Clever Trick for Fooling Users Into Installing Their Crapware

New MysteryBot Android Malware Packs a Banking Trojan, Keylogger, and Ransomware

Malware Found in the Firmware of 141 Low-Cost Android Devices

Malware Found in the Firmware of 26 Low-Cost Android Devices