HummingBad Android Malware Found in 20 Google Play Store Apps

Catalin Cimpanu

January 24, 2017
06:05 AM
0

HummingBad mobile malware

HummingBad, an Android malware estimated to have touched over 85 million devices worldwide, was recently found in 46 new applications, 20 of which had even made their way into the official Play Store, passing Google's security checks.

In terms of Android malware, HummingBad is the biggest player active today, accounting for 72% of all mobile infections, according to Israeli security firm Check Point.

The large number of infections has also garnered HummingBad a place on the top 10 list of currently active malware families in the past few months.

HummingBad creators earning an estimated $300,000 per month

HummingBad is barely a year old, being first detected in February 2016. The malware is used to download other apps on compromised devices or click on ads to generate profits for the malware owners.

A Check Point report released in July 2016 has identified Yingmob, an advertising company based in Chongqing, China, as the main suspect behind both HummingBad (Android) and YiSpecter (iOS) malware families.

According to Check Point, at that point, the HummingBad malware was found in over 200 apps, generating an estimated revenue of $300,000 per month for its creators.

New HummingBad version discovered

Researchers say that the 20 apps they recently discovered contained a new version of HummingBad, which they nicknamed HummingWhale due to the massive changes in its mode of operation.

The biggest change is that HummingWhale appears to have dropped the rootkit component that allowed it to forcibly download unwanted apps on infected devices.

This module appears to have been replaced by DroidPlugin, a plugin initially developed by Qihoo 360 for running virtual machines on Android devices.

HummingWhale works by showing unwanted ads to its victims, but when users move in to close the ad, the malware opens a virtual machine and installs the advertised app inside it.

This way HummingBad authors earn revenue in pay-per-install affiliate programs and install as many apps on infected devices without polluting the device's application list.

But the VM component also makes it harder for security apps to spot HummingWhale's malicious behavior, and for Google's security checks to detect malicious apps before they reach the Play Store

HummingWhale also rates and comments on Play Store apps

Furthermore, HummingWhale gained another feature, which was the ability to post reviews and ratings on the Google Play Store on behalf of infected users, a tactic used to earn an extra revenue or give a boost to other malicious apps.

This type of activity was first spotted with malware families such as Gooligan or CallJam and was not something native to the original HummingBad codebase.

Following HummingWhale's discovery, Google has removed the infected apps. A list of all app package names that were found to contain HummingWhale is available below. These are apps spread through the Google Play Store, but also other third-party stores.

    com.bird.sky.whalecamera – Whale Camera
    com.op.blinkingcamera – Blinking Camera
    com.fishing.when.orangecamera – Orange Camera
    com.note.ocean.camera – Ocean camera
    io.zhuozhuo.snail.android_snails -蜗牛手游加速器-专业的vpn，解决手游卡顿延迟问题
    com.cm.hiporn – HiPorn
    com.family.cleaner – Cleaner: Safe and Fast
    com.wall.fast.cleaner – Fast Cleaner
    com.blue.deep.cleaner – Deep Cleaner
    com.color.rainbow.camera –             Rainbow Camera
    com.ogteam.love.flashlight – com.qti.atfwd.core
    com.wall.good.clevercamera – Clever Camera
    com.well.hot.cleaner – Hot Cleaner
    com.op.smart.albums – SmartAlbums
    com.tree.tiny.cleaner – Tiny Cleaner
    com.speed.top – Topspeed Test2
    com.fish.when.orangecamera – Orange Camera
    com.flappy.game.cat – FlappyCat
    com.just.parrot.album – com.qti.atfwd.core
    com.ogteam.elephanta.album – Elephant Album
    gorer – File Explorer
    com.with.swan.camera – Swan Camera
    com.touch.smile.camera – Smile Camera
    com.air.cra.wars – com.qti.atfwd.core
    com.room.wow.camera – Wow Camera-Beauty，Collage，Edit
    com.start.super.speedtest – com.qti.atfwd.core
    com.best.shell.camera – Shell Camera
    com.ogteam.birds.album – com.qti.atfwd.core
    com.tec.file.master – File Master
    com.bird.sky.whale.camera – Whale Camera
    cm.com.hipornv2 – HiPorn
    com.wind.coco.camera – Coco Camera
    global.fm.filesexplorer – file explorer
    com.filter.sweet.camera – Sweet Camera
    com.op.blinking.camera – Blinking Camera
    com.mag.art.camera – Art camera
    com.cool.ice.camera – Ice Camera
    com.group.hotcamera – Hot Camera
    com.more.light.vpn – Light VPN-Fast, Safe,Free
    com.win.paper.gcamera – Beauty Camera
    com.bunny.h5game.parkour – Easter Rush
    com.fun.happy.camera- Happy Camera
    com.like.coral.album – com.qti.atfwd.core
    com.use.clever.camera – Clever Camera
    com.wall.good.clever.camera – Clever Camera

Catalin Cimpanu

Catalin Cimpanu is the Security News Editor for Bleeping Computer, where he covers topics such as malware, breaches, vulnerabilities, exploits, hacking news, the Dark Web, and a few more. Catalin previously covered Web & Security news for Softpedia between May 2015 and October 2016. The easiest way to reach Catalin is via his XMPP/Jabber address at campuscodi@xmpp.is. For other contact methods, please visit Catalin's author page.

Newsletter Sign Up

To receive periodic updates and news from BleepingComputer, please use the form below.

Latest Downloads

Windows Repair (All In One)
Version: 4.0

1M+ Downloads
StrikedDecrypter
Version: NA

159 Downloads
DCryDecrypter
Version: 1.0.0.1

512 Downloads
Heimdal Free
Version: NA

32,914 Downloads
Mole02 Decryptor
Version: NA

1,164 Downloads