HummingBad, an Android malware estimated to have touched over 85 million devices worldwide, was recently found in 46 new applications, 20 of which had even made their way into the official Play Store, passing Google's security checks.
In terms of Android malware, HummingBad is the biggest player active today, accounting for 72% of all mobile infections, according to Israeli security firm Check Point.
The large number of infections has also garnered HummingBad a place on the top 10 list of currently active malware families in the past few months.
HummingBad is barely a year old, being first detected in February 2016. The malware is used to download other apps on compromised devices or click on ads to generate profits for the malware owners.
A Check Point report released in July 2016 has identified Yingmob, an advertising company based in Chongqing, China, as the main suspect behind both HummingBad (Android) and YiSpecter (iOS) malware families.
According to Check Point, at that point, the HummingBad malware was found in over 200 apps, generating an estimated revenue of $300,000 per month for its creators.
Researchers say that the 20 apps they recently discovered contained a new version of HummingBad, which they nicknamed HummingWhale due to the massive changes in its mode of operation.
The biggest change is that HummingWhale appears to have dropped the rootkit component that allowed it to forcibly download unwanted apps on infected devices.
This module appears to have been replaced by DroidPlugin, a plugin initially developed by Qihoo 360 for running virtual machines on Android devices.
HummingWhale works by showing unwanted ads to its victims, but when users move in to close the ad, the malware opens a virtual machine and installs the advertised app inside it.
This way HummingBad authors earn revenue in pay-per-install affiliate programs and install as many apps on infected devices without polluting the device's application list.
But the VM component also makes it harder for security apps to spot HummingWhale's malicious behavior, and for Google's security checks to detect malicious apps before they reach the Play Store
Furthermore, HummingWhale gained another feature, which was the ability to post reviews and ratings on the Google Play Store on behalf of infected users, a tactic used to earn an extra revenue or give a boost to other malicious apps.
This type of activity was first spotted with malware families such as Gooligan or CallJam and was not something native to the original HummingBad codebase.
Following HummingWhale's discovery, Google has removed the infected apps. A list of all app package names that were found to contain HummingWhale is available below. These are apps spread through the Google Play Store, but also other third-party stores.
com.bird.sky.whalecamera – Whale Camera com.op.blinkingcamera – Blinking Camera com.fishing.when.orangecamera – Orange Camera com.note.ocean.camera – Ocean camera io.zhuozhuo.snail.android_snails -蜗牛手游加速器-专业的vpn，解决手游卡顿延迟问题 com.cm.hiporn – HiPorn com.family.cleaner – Cleaner: Safe and Fast com.wall.fast.cleaner – Fast Cleaner com.blue.deep.cleaner – Deep Cleaner com.color.rainbow.camera – Rainbow Camera com.ogteam.love.flashlight – com.qti.atfwd.core com.wall.good.clevercamera – Clever Camera com.well.hot.cleaner – Hot Cleaner com.op.smart.albums – SmartAlbums com.tree.tiny.cleaner – Tiny Cleaner com.speed.top – Topspeed Test2 com.fish.when.orangecamera – Orange Camera com.flappy.game.cat – FlappyCat com.just.parrot.album – com.qti.atfwd.core com.ogteam.elephanta.album – Elephant Album gorer – File Explorer com.with.swan.camera – Swan Camera com.touch.smile.camera – Smile Camera com.air.cra.wars – com.qti.atfwd.core com.room.wow.camera – Wow Camera-Beauty，Collage，Edit com.start.super.speedtest – com.qti.atfwd.core com.best.shell.camera – Shell Camera com.ogteam.birds.album – com.qti.atfwd.core com.tec.file.master – File Master com.bird.sky.whale.camera – Whale Camera cm.com.hipornv2 – HiPorn com.wind.coco.camera – Coco Camera global.fm.filesexplorer – file explorer com.filter.sweet.camera – Sweet Camera com.op.blinking.camera – Blinking Camera com.mag.art.camera – Art camera com.cool.ice.camera – Ice Camera com.group.hotcamera – Hot Camera com.more.light.vpn – Light VPN-Fast, Safe,Free com.win.paper.gcamera – Beauty Camera com.bunny.h5game.parkour – Easter Rush com.fun.happy.camera- Happy Camera com.like.coral.album – com.qti.atfwd.core com.use.clever.camera – Clever Camera com.wall.good.clever.camera – Clever Camera