HummingBad Android Malware Returns Badder Than Before As HummingWhale

Android malware HummingBad is making a comeback with boosted capabilities that make it harder to detect and remove.

Dubbed HummingWhale, the malware is a tweaked version of HummingBad, which was reportedly created by a Chinese advertising company to trick users of infected Android devices to click on mobile and web adverts thereby generating fraudulent advertising revenue for the company.

In itself HummingBad was not used for particularly malicious cyber attacks but because it install a rootkit on to an infected Android device it gains high level permissions to the device’s functions, thereby potentially enabling an attacker to wreak havoc within the Android environment, such as installing data stealing key-loggers or bypassing encrypted email containers.

Return of the HummingBad

Discovered by cyber security firm Check Point, which also found HummingBad, HummingWhale presents a greater threat than HummingBad because it can carry out these functions without the reliance on gaining root access.

Instead it relies on virtual machines to support it and run fraudulent apps, which avoids overloading a targeted device.

HummingWhale can also run these apps without needing the elevated permissions normally required within the Android mobile operating system.

To make things worse, HummingWhale can also jump onto a virtual machine to hide itself from detection if a user notices and closes its process on their device.

“First, the Command and Control server (C&C) provides fake ads and apps to the installed malware, which presents them to the user. Once the user tries to close the ad, the app, which was already downloaded by the malware, is uploaded to the virtual machine and run as if it is a real device. This action generates the fake referrer id, which the malware uses to generate revenues for the perpetrators,” explained Check Point’s mobile cyber security analyst Oren Koriat.

He noted that this allows HummingWhale to install an infinite number of fraudulent apps and disguise its fraudulent activity so that it can infiltrate the Google Play store.

“HummingWhale also conducted further malicious activities, like displaying illegitimate ads on a device, and hiding the original app after installation, a trait which was noticed by several users,” added Koriat.

Check Point identified 20 apps so far that were infected with HummingWhale and have since been removed from Google Play. However, the fact that it is effectively old malware making a comeback in a different guise, is concerning and highlights that the open nature of Android compared to the more locked down Apple iOS has its shortcomings.

Are you a security pro? Try our quiz!