HummingWhale Android Malware Discovered

The new infection has been found in 46 new applications, 20 of which made it through to the official Play Store, passing Google’s security checks. The distribution of HummingWhale has mainly been through counterfeit apps in the Google Play Store, although it has also been spread through third-party stores. All of these applications have been uploaded using various fake Chinese developer names. Check Point researchers found that the rogue apps were mainly connected to camera features, but some were connected to other activities such as gaming, music and adult content.

The malware operates via a connections with remote Command & Control servers to display unwanted ads to its victims. When users try and close the ad it prompts the malware to open a virtual machine and installs the advertised app inside it using a clever algorithm to keep generating a multitude of adverts. This way, threat actors are able to earn revenue and install as many apps on infected devices without overwhelming the device's application list due to it being on the VMware. In addition, the VM component of the variant also makes it harder for security apps to spot HummingWhale's malicious behaviour and for Google's security checks to detect malicious apps before they reach the Play Store.

Furthermore and unlike its predecessor, HummingWhale has gained the ability to post reviews and ratings on the Google Play Store on behalf of infected users, a tactic used to earn extra revenue or give a boost to other malicious apps. This type of activity was first spotted with malware families such as Gooligan or CallJam and was not something native to the original HummingBad malware code.