The malware had initially spread via third party apps and is said to have affected more than 10 million phones, rooting thousands of devices every day and generating money to the tunes of $300,000 every month. Security researchers have unearthed that the new variant of the malware is seeking refuge in more than 20 Android apps on the Google Play Store and the apps are already downloaded by over 12 Million. Google has already acted upon the reports and has removed the apps from the Play Store. Furthermore, Check Point researchers have revealed that the HummingWhale infected apps were published with the help of a Chinese developer alias and was associated with suspicious startup behavior.
HummingBad Vs HummingWhale
The first question that pops into anyone’s head is how sophisticated is HummingWhale as opposed to HummingBad. Well to be honest despite sharing the same DNA the modus operandi is pretty different. HummingWhale users an APK to deliver its payload and the in case the victim makes note of the process and tries to close the app, the APK file is dropped into a virtual machine thus making it nearly impossible to detect. HummingWhale doesn’t need to root the devices and works via the Virtual Machine. This allows the malware to initiate any number of fraudulent installations on the infected device without actually showing up anywhere. The ad fraud is carried over by the command and control (C&C) server that sends fake ads and apps to the users which in turn run on VM and depend on fake referrer ID to trick users and generate ad revenues. The only word of caution is to ensure that you download apps from the reputed developers and scan for signs of fraud.