The HummingBad malware is back on Google Play in a new avatar. Dubbed HummingWhale, the updated version of the malware was found hidden in 20 different apps on Google Play by security researchers. The infected apps have reportedly already been downloaded by unsuspecting users several million times.
The researchers claim that HummingWhale comes with new "cutting edge techniques" designed to boost the ad fraud campaign. In 2016, the HummingBad malware infected millions of Android devices, allowing cybercriminals behind the campaign, identified as Yingmob, to rake in around $300,000 a month before it was detected.
According to Check Point security researchers, in 2016, HummingBad managed to dominate the mobile cyberthreat space with over 72% attacks and was deemed the "most prevalent malware globally". The researchers identified HummingWhale after analysing an infected app that revealed several similarities with HummingBad's code.
"All of the apps were uploaded under the names of fake Chinese developers. In addition to the camera family, researchers were able to identify 16 additional, distinct package names related to the same malware, some of which were also found on Google Play," the Check Point researchers wrote in a blog.
The researchers noted that HummingWhale makes use of dropper, which in turn operates an Android plugin called Droid Plugin, to upload fake apps onto virtual machines. HummingWhale's new features allow attackers to install apps onto an infected device without obtaining elevated permissions.
The malware is also capable of camouflaging malicious activity, which allows it to infiltrate Google Play and avoid security detection. One of the most alarming features is the malware's ability to download an infinite number of fake apps "without overloading the device".
The researchers uncovered that HummingWhale adopted tactics used by other prominent Android malware strains such as Gooligan, in attempting to increase its malicious apps' ratings in Google Play by using fake comments and ratings.
The Check Point researchers said: "This is a prime example of malware developers learning from each other, as tactics that were introduced by one of them are quickly adopted by others. The fraudulent ratings left by such malware are another reminder that users cannot rely on Google Play for protection, and must apply further, more advanced means of security."
Check Point said it has informed Google's security team about the HummingWhale infected malicious apps, which have since been removed from Google Play.