A common recommendation that Android users get for avoiding malware is to stick with Google Play and not download any apps from other sources. Trouble is, as HummingBad proved early last year by penetrating the search giant’s defenses, that advice is not exactly bullet-proof.
The malware generated $300,000 in revenue every month and infected over 85 million devices, which, at the time, ran popular versions of Android, like KitKat and Jelly Bean. It was also one of the most dangerous pieces of malware in 2016, representing 72 percent of attacks on mobile and ranking fourth in Check Point’s list of “the most prevalent malware globally” in the first half of the year. But that is not the end of the saga, as a new variant, called HummingWhale, has been found on Google Play.
Multiple apps, infected by HummingWhale, have been published under the name of fake Chinese developers on the app store, notes Check Point’s report. The apps have a common name structure, com.[name].camera (examples include com.bird.sky.whale.camera and com.color.rainbow.camera), but there are titles with different names as well.
CheckPoint says that they have in common a 1.3MB encrypted file that is called “assets/group.png”, which is similar to the “file-explorer” file from HummingBad. That is actually an apk (Android app installer), which is designed to allow other apps to be downloaded and installed on the victim’s Android device.
The malware displays fake ads and, using an Android framework called DroidPlugin, creates a fake referrer id to generate revenue for the attackers. The group behind HummingBad was identified to be Yingmob. You can read more about it by following the link in the opening paragraph.
HummingWhale employs shady techniques to boost its ratings on Google Play, which could fool users into thinking that the infected apps are genuine. There are over 40 titles that are spreading this malware.
“The fraudulent ratings left by such malware is another reminder that users cannot rely on Google Play for protection, and must apply further, more advanced means of security”, adds Check Point.