igor - Fotolia
What are HummingWhale malware's new ad fraud features?
A HummingBad malware variant, HummingWhale, was discovered being spread through 20 apps on the Google Play Store. Expert Nick Lewis explains the malware's new features.
The HummingBad Android malware, which affected about 10 million devices with its ad fraud activities, resurfaced as HummingWhale, and was being distributed through 20 apps in the Google Play Store. What are the new features of HummingWhale, and how do they work?
As malware and ad developers begin to adopt good ideas and learn from each other to advance their goals, the distinction between malware and adware continues to be blurred. Mobile malware developers seem to be rapidly adopting functionality for generating revenue from their malware.
Check Point researchers discovered a new variant of the HummingBad mobile malware, named HummingWhale, which uses virtual machines as part of its effort to evade antifraud detection in order to generate ad revenue. The HummingWhale malware also tries to raise its reputation in the Google Play Store by using fraudulent ratings and comments, much like the Gooligan malware. It was also found on third-party app stores.
Once the HummingWhale malware is on the endpoint, it downloads a dropper used to further download DroidPlugin. Fake ads and apps are displayed to the user, and when the user attempts to close out the ads, fraudulent apps are uploaded onto the virtual machine. This creates a fake referrer ID, which the HummingWhale malware uses to generate revenue. By using this technique, it can also bypass security checks on the endpoint.
An app with the ability to download external content seems like it could be at high risk, and would be something Google would only cautiously allow, as it is difficult to determine all of the actions an executable might take.
The standard security advice is to only download apps from trusted app stores and to look for highly rated apps, but as HummingWhale demonstrates, this may be insufficient to adequately protect a device. Users should install a third-party security tool, as well.
Learn how to detect the autorooting Android malware LevelDropper
Find out how a malicious app containing a banking Trojan was able to bypass the Google Play Store's security
Discover how the Switcher Android Trojan carries out attacks on wireless routers
Dig Deeper on Threats and vulnerabilities
Related Q&A from Nick Lewis
What are port scan attacks and how can they be prevented?
Port scans provide data on how networks operate. In the wrong hands, this info could be part of a larger malicious scheme. Learn how to detect and ... Continue Reading
Explore benefits and challenges of cloud penetration testing
Cloud penetration testing presents new challenges for information security teams. Here's how a playbook from the Cloud Security Alliance can help ... Continue Reading
What are the best criteria to use to evaluate cloud service providers?
Many cloud providers are tight-lipped about internal security control details. Learn how to evaluate cloud security providers with certifications and... Continue Reading