HummingBad Android Malware Returns Badder Than Before As HummingWhale

Android malware HummingBad is making a comeback with boosted capabilities that make it harder to detect and remove.

Dubbed HummingWhale, the malware is a tweaked version of HummingBad, which was reportedly created by a Chinese advertising company to trick users of infected Android devices to click on mobile and web adverts thereby generating fraudulent advertising revenue for the company.

In itself HummingBad was not used for particularly malicious cyber attacks but because it install a rootkit on to an infected Android device it gains high level permissions to the device’s functions, thereby potentially enabling an attacker to wreak havoc within the Android environment, such as installing data stealing key-loggers or bypassing encrypted email containers.

Return of the HummingBad

Discovered by cyber security firm Check Point, which also found HummingBad, HummingWhale presents a greater threat than HummingBad because it can carry out these functions without the reliance on gaining root access.

Instead it relies on virtual machines to support it and run fraudulent apps, which avoids overloading a targeted device.

HummingWhale can also run these apps without needing the elevated permissions normally required within the Android mobile operating system.

To make things worse, HummingWhale can also jump onto a virtual machine to hide itself from detection if a user notices and closes its process on their device.

“First, the Command and Control server (C&C) provides fake ads and apps to the installed malware, which presents them to the user. Once the user tries to close the ad, the app, which was already downloaded by the malware, is uploaded to the virtual machine and run as if it is a real device. This action generates the fake referrer id, which the malware uses to generate revenues for the perpetrators,” explained Check Point’s mobile cyber security analyst Oren Koriat.

He noted that this allows HummingWhale to install an infinite number of fraudulent apps and disguise its fraudulent activity so that it can infiltrate the Google Play store.

“HummingWhale also conducted further malicious activities, like displaying illegitimate ads on a device, and hiding the original app after installation, a trait which was noticed by several users,” added Koriat.

Check Point identified 20 apps so far that were infected with HummingWhale and have since been removed from Google Play. However, the fact that it is effectively old malware making a comeback in a different guise, is concerning and highlights that the open nature of Android compared to the more locked down Apple iOS has its shortcomings.

Are you a security pro? Try our quiz!

Roland Moore-Colyer

As News Editor of Silicon UK, Roland keeps a keen eye on the daily tech news coverage for the site, while also focusing on stories around cyber security, public sector IT, innovation, AI, and gadgets.

Recent Posts

OpenAI In Talks With California Over For-Profit Shift

OpenAI reportedly begins early talks with California attorney general over complex transition from nonprofit to…

13 hours ago

EU To Assess Apple’s iPad Compliance Plans

European Commission says it will review Apple's iPad compliance with DMA rules as it seeks…

14 hours ago

James Dyson Says ‘Spiteful’ Budget Will Kill Start-Ups

James Dyson delivers most high-profile criticism so far of Labour's first Budget that raises £40bn…

14 hours ago

Nvidia, Meta Ask Supreme Court To Axe Investor Lawsuits

Nvidia, Meta bring cases before US Supreme Court this month seeking tighter limits on investors'…

15 hours ago

Nvidia To Replace Intel On Dow Jones Industrial Average

Nvidia to replace Intel this week on Dow Jones Industrial Average after years of turmoil…

15 hours ago

Toyota-Backed Joby Flies ‘Air Taxi’ In Japan

Joby Aviation and Toyota Motor complete demonstration flight in Shizuoka as companies prepare to bring…

16 hours ago