Android app security testing researchers discovered the existence of a new variant of Android malware, HummingWhale, that has infected a number of apps in the Google Play Store and poses a serious threat to Android app security. Hummingwhale is a new strain of the 2016 HummingBad malware.
The researchers from Check Point said that HummingWhale got into the Play Store using apps uploaded with the fake names of Chinese developers. The malware infected over 20 applications and bypassed Google’s security measures.
The malware bypasses Android app security to generate revenue for the developers behind it using ad fraud. For example, a disguised Android app package file is used to act like a dropper to download and run additional apps. This file that acts as a dropper makes use of an Android Plugin – made by Qihoo 360, a Chinese security vendor – and uploads malicious apps to a virtual machine. With the help of a virtual machine, HummingWhale installs other apps without taking app permissions, and also disguises all of its malicious activities. This technique lets HummingWhale get through Google Play’s security checks
HummingWhale poses a serious threat to Android app security, as it is able to install an infinite amount of malicious apps with the help of a virtual machine and is able to do this without rooting Android devices. Just like the Gooligan malware, HummingWhale also uses fake comments and ratings to get good ratings on Google Play.
Check Point said that the aim behind HummingWhale and its predecessor HummingBad is to generate revenue through fake app installations and ad fraud. In July 2016, Check Point released a report that showed how HummingBad malware was used by a Chinese mobile analytics and advertising company to earn revenue. The malware was one of the most prevalent threats to Android app security in 2016 as it infected over 10 million devices and Yingmob earned $300,000 per month.
Codified Security is here to help make your mobile app secure whether it’s for iOS, Android app security testing, or to make sure you’re clearing the OWASP Mobile Top 10. For mobile app security testing try out Codified Security.