After last year clean up, looks like the HummingBad malware has made a return with its new, more powerful and annoying version.
Back in February 2016 if you remember, HummingBad has made the headlines. This malicious app affected around 10 million Android smartphones around the world.
The software gained root access on the affected devices and started collecting personal data and made it look like they are clicking on ads. They folks behind this made around $300,000 per month.
The malware was spread using third-party app stores and has managed to reach so many devices that it has become the fourth most prevalent malware known. However, it did not manage to infiltrate the official Google Play store.
The new version was dubbed as HummingWhale by the folks at Check Point Software Technologies who first spotted it and saw that it has improved add fraud capabilities in its code. So, if the user spots the app and goes to close the app process then HummingWhale will go under and turns into a virtual machine which is way lot harder to detect.
The new HummingWhale started gaining attention when the apps that were published under the names of several Chinese developers (possibly fake developers) showed the behaviour that was not normal at the startup. “It registered several events on boot, such as TIME_TICK, SCREEN_OFF and INSTALL_REFERRER which [were] dubious in that context,” wrote Check Point. They also carried an encrypted file of 1.3 MB posing as an image but acting as an executable app file.
“This .apk operates as a dropper, used to download and execute additional apps, similar to the tactics employed by previous versions of HummingBad. However, this dropper went much further. It uses an Android plugin called DroidPlugin, originally developed by Qihoo 360, to upload fraudulent apps on a virtual machine,” the company notes.