Chinese Ad Company That Turned Out to Be a Cyber Crime Group Is Back with “a Whale of a Tale”


First discovered in early 2016, security researchers have discovered a new variant of the HummingBad Android malware hidden in over 20 different apps on Google Play. HummingBad was highly sophisticated malware, employing a chain-attack strategy and a rootkit to gain complete control of an infected device. Spreading through third-party app stores, HummingBad had managed to infect over 10 million devices, generating at least $300,000 a month in ad fraud.

Back in last summer, Check Point had revealed that the Chinese ad firm Yingmob - that claimed to offer ad support, including text, images, and video ads - was actually a cyber crime group. The group managed to get control of over 85 million devices, generating the company $300K/month in fraudulent ad revenue.

Fake COVID-19 Tracking App Found to Infect Android Phones With Ransomware

While believed to have been a problem of third-party stores, researchers found out that the malware had finally found its way to Google Play. In 2016, HummingBad was considered to be the "most prevalent malware globally," dominating the mobile threat landscape with over 72% of attacks.

It is not a surprise then that researchers and Android users are worried what havoc the new variant of HummingBad would wreak on Google Play. Don't worry, though, Google removed the apps after the folks at Check Point disclosed the issue to the company. But, before it happened the infamous malware was downloaded over a few million times!

Android malware HummingBad becomes HummingWhale

"It was probably only a matter of time before HummingBad evolved and made its way onto Google Play again," Oren Koriat, Mobile Cyber Security Analyst at Check Point wrote in a blog post. He added the infected apps in this most recent campaign on Google Play "were downloaded several million times by unsuspecting users".

Once a user downloads the malicious app, the APK operates as a dropper, downloading several additional apps. "This dropper went much further. It uses an Android plugin called DroidPlugin, originally developed by Qihoo 360, to upload fraudulent apps on a virtual machine," CP wrote.

DroidPlugin is used by developers to reduce APK sizes and run multiple instances of apps on the same device. But in the case of "HummingWhale", fraudsters were using DroidPlugin to upload the malicious app on a virtual machine to generate fake referrer IDs.

A Malware Called Cerebrus Can Steal Google Authenticator 2FA Codes From Android Devices

“First, the command and control server provides fake ads and apps to the installed malware, which presents them to the user. Once the user tries to close the ad, the app, which was already downloaded by the malware, is uploaded to the virtual machine and run as if it is a real device. This action generates the fake referrer ID, which the malware uses to generate revenue for the perpetrators,” the research team explained.

While Google has now removed all the malicious apps from Google Play, it is unclear whether the malware can still bypass the security checks put up by the store.

Uses cutting edge techniques...

This new variant that the security experts are calling "HummingWhale", includes new, cutting edge techniques that allow it to perform ad fraud better than ever before.

The security group says that the latest strain of HummingBad is more sophisticated than its predecessor as it can install apps without getting elevated permissions; it can disguise malicious activity which is how it can infiltrate Google Play; HummingWhale can also install a high number number of fraudulent apps without overloading the device, and it can hide the original app after installation.

To increase its chances of being downloaded, HummingWhale also tries to raise its reputation in Google Play using fraudulent ratings and comments. The HummingWhale Android malware can also be used to download and execute other apps.

So, a long list of capabilities. Let's hope this ad company finally bites the dust and never shows up again. But, looking at how quickly this latest Android malware has managed to evolve, it looks very likely that we would be hearing about another of its variants very soon.

For more: A Whale of a Tale: HummingBad Returns

Thanks for the tip, Jesse.