HummingBad malware returns in new, more annoying variant

Is it a bird? Is it a plane? No, it's a HUMMINGWHALE


The HummingBad malware first discovered in February 2016 is making a return visit to the charts.

The original was cleaned up, but not before the malware's authors Yingmob racked up around US$300,000 per month at its peak.

Check Point Software Technologies says it's spotted the return version, which it's dubbed HummingWhale, adding the authors have added better ad fraud capabilities to the code.

HummingWhale is tricky: if a user notices and closes its process, it then drops itself into a virtual machine to make it harder to detect.

HummingWhale raised Check Point's red flags when apps published under the names of “fake Chinese developers” showed dubious startup behaviours: “It registered several events on boot, such as TIME_TICK, SCREEN_OFF and INSTALL_REFERRER which [were] dubious in that context.”

The dodgy apps also carried an encrypted 1.3 MB file, the main payload, which presents as if its an image (it's called group.png), but is an executable <code.>apk file.

“This .apk operates as a dropper, used to download and execute additional apps, similar to the tactics employed by previous versions of HummingBad. However, this dropper went much further. It uses an Android plugin called DroidPlugin, originally developed by Qihoo 360, to upload fraudulent apps on a virtual machine.”

When a user is infected, the command and control sends the user fake ads and apps to the user. The app, running in a virtual machine, generates a fake referrer ID that hits ads to generate the 'net scum's revenue.

Check Point notes the HummingWhale can get apps running without having to get elevated permissions, and disguises its malice to get onto Google Play.

Unlike the original HummingBad, it runs without having to root the victim's phone, and its use of virtual machines means it can install lots of fraudulent apps without overloading the target.

“HummingWhale also tries to raise its reputation in Google Play using fraudulent ratings and comments, similar to the Gooligan and CallJam malware before it”, the post concludes.

Check Point says it spotted HummingWhale in more than 20 apps, which have since been removed from Google Play. ®

Similar topics


Other stories you might like

  • Want to buy your own piece of the Pi? No 'urgency' says Upton of the listing rumours

    A British success story... what happens next?

    Industry talk is continuing to circulate regarding a possible public listing of the UK makers of the diminutive Raspberry Pi computer.

    Over the weekend, The Telegraph reported that a spring listing could be in the offing, with a valuation of more than £370m.

    Pi boss, Eben Upton, described the newspaper's article as "interesting" in an email to The Register today, before repeating that "we're always looking at ways to fund the future growth of the business, but the $45m we raised in September has taken some of the urgency out of that."

    Continue reading
  • JetBrains embraces remote development with new IDE for multiple programming languages

    Security, collaboration, flexible working: Fleet does it all apparently

    JetBrains has introduced remote development for its range of IDEs as well as previewing a new IDE called Fleet, which will form the basis for fresh tools covering all major programming languages.

    JetBrains has a core IDE used for the IntelliJ IDEA Java tool as well other IDEs such as Android Studio, the official programming environment for Google Android, PyCharm for Python, Rider for C#, and so on. The IDEs run on the Java virtual machine (JVM) and are coded using Java and Kotlin, the latter being primarily a JVM language but with options for compiling to JavaScript or native code.

    Fleet is "both an IDE and a lightweight code editor," said the company in its product announcement, suggesting perhaps that it is feeling some pressure from the success of Microsoft's Visual Studio Code, which is an extensible code editor. Initial language support is for Java, Kotlin, Go, Python, Rust, and JavaScript, though other languages such as C# will follow. Again like VS Code, Fleet can run on a local machine or on a remote server. The new IDE uses technology developed for IntelliJ such as its code-processing engine for features such as code completion and refactoring.

    Continue reading
  • Nextcloud and cloud chums fire off competition complaint to the EU over Microsoft bundling OneDrive with Windows

    No, it isn't the limited levels of storage that have irked European businesses

    EU software and cloud businesses have joined Nextcloud in filing a complaint with the European Commission regarding Microsoft's alleged anti-competitive behaviour over the bundling of its OS with online services.

    The issue is OneDrive and Microsoft's habit of packaging it (and other services such as Teams) with Windows software.

    Nextcloud sells on-premises collaboration platforms that it claims combine "the convenience and ease of use of consumer-grade solutions like Dropbox and Google Drive with the security, privacy and control business needs." Microsoft's cloud storage system, OneDrive, is conspicuous by its absence.

    Continue reading

Biting the hand that feeds IT © 1998–2021