In February 2016, Check Point discovered a malware strain that establishes a persistent rootkit in an infected device with the goal of generating fraudulent ad revenue for the perpetrators. Named HummingBad, the malware was able to generate $300,000 in monthly revenue in just 5 months after discovery, in addition to infecting more than 10 million Android devices last year.
Now, almost a year later, a new variant of HummingBad was found in 20 apps on Google Play. Aside from the usual processes employed by HummingBad, the recently discovered malware, dubbed HummingWhale, has been found to have characteristics that make it more powerful than its predecessor.
One of these is an .apk file that acts as a dropper, used to download and execute additional apps. Upon successful infection, HummingWhale will start accepting fake advertisements and malicious apps from its Command and Control server. The ads are then presented to the user of the infected device and the apps are installed.
Once the user closes the ad, the app that came with it is then uploaded to a virtual machine that is separate from the device. The app will then operate as if it were in a real device, generating fake referral IDs that HummingWhale uses to generate ad revenues for the cyber criminals. The process takes place every time a user is connected to the Internet.
This whole process allows HummingWhale to:
- Install other malicious apps in the infected device without the need for elevated permissions;
- Operate without the knowledge of the victim by hiding itself and all of its processes;
- Install countless apps into the device without overloading it, as the apps are uploaded to separate virtual machines, allowing as many installations as the perpetrators desire; and,
- Let go of its embedded rootkit as it can operate even without it, among other things.
Shortly after discovery, all of the apps on Google Play that were found to be infected with HummingWhale have been removed by Google. However, it is still not known where HummingWhale exactly comes from. If you’re worried about getting infected, one way to stay safe is to install Hotspot Shield malware protection VPN in your device.
Download Hotspot Shield malware protection VPN here
Hotspot Shield is a free download malware protection VPN that lets you surf the web without worrying about Trojan files, malvertising and other types of malware. Available for Windows, OS X, iOS and Android, as well as extensions for Chrome and Firefox, Hotspot Shield protects your device from infections by preventing access to websites and links that are known to host malware attacks.
Hotspot Shield does this by notifying about possible infections, and then blocks the site. The websites are identified using a database of domains that are known and suspected to be infected, updated regularly. Not only will this secure your device from malware, it will also protect it from phishing sites, spam sites, and content farms.
Hotspot Shield malware protection VPN provides added protection for your device against malware strains like HummingWhale, ensuring more enjoyable and worry-free online sessions. Download Hotspot Shield today or visit our website to learn more about its features. Read our blog for more tips on how you can make your online sessions safer.