One of the most prolific smartphone viruses, which infected an estimated 10 million devices last year alone, is back with a vengeance. Known as HummingWhale, the malware is a new take on HummingBad — and it was embedded in some 20 different Android apps on the Play Store. The virus feeds ads to your devices to generate revenue for its makers.

Image credits Andrekheren / Pixabay.

For a society that spends much its time looking at screens, we’re laughably bad at keeping the bits of code behind them safe from tampering. Which is staggering, since we trust said code with our conversations, location, credit card information, and in some cases, pictures of our junk. A fact which certain groups are perfectly aware of and perfectly ok with cashing in on.

There’s no whale like a malwhale

Last year, cyber security firm Check Point stumbled upon HummingBad, a piece of malware that had infected more than 10 million Android devices through non-Google markets and shady sites — slowly minting money off of each one. It worked by silently downloading into Android devices running anything from Ice Cream Sandwich all the way up to Marshmallow, then attempting to wrestle root privileges through loopholes in the OS. If it failed to do this, HummingBad would prompt the user with a fake upgrade notification — during which it embedded itself in the OS.

For the most part, HumminBad was used to generate ad revenue by logging fake ad clicks from devices and performing unsolicited downloads to generate an estimated US$300,000 each month for Yingmob. It was one of the most advanced pieces of malware ever created and frustratingly difficult to remove. Eventually, though, Google shored up its software and security apps popped up all over to do just that.

But a new member of the family has been released upon the world, and experts are calling it HummingWhale. It infects devices by hitch-hiking on seemingly safe apps, 20 of which could be downloaded from the Play Store. Its end goal is largely the same as it’s predecessors — generate ad revenue for its programmers.

Subscribe to our newsletter and receive our new book for FREE
Join 50,000+ subscribers vaccinated against pseudoscience
Download NOW
By subscribing you agree to our Privacy Policy. Give it a try, you can unsubscribe anytime.

What it does

Check Point has been silently monitoring the Humming family for almost a year now, and reports that the new malware was downloaded between 2 and 12 million times already. They don’t believe Yingmob is behind Whale as well, but the two programs are obviously similar. The software is hidden in 5-star bot-reviewed apps uploaded by false Chinese companies. Its code is stored in a 1.3MB file called ‘assets/group.png‘ that matches many of the traits seen in HummingBad.

Everybody hates it, but it constantly got 5 stars? Pass.
Image credits Oren Koriat / Check Point.

After download, the malware will display unsolicited ads that become increasingly harmful if opened. It doesn’t try to root devices any longer but creates a virtual machine on your device to perform ad fraud and automatically install apps, Check Point reports. It doesn’t require your approval to install these apps. It doesn’t need you to allow permission to use the device. And, if you close the ads or delete the apps, this functionality allows HummingWhale to continue running them in the virtual machine. It just stacks them up, as many as it likes.

“Once the user tries to close the ad, the app, which was already downloaded by the malware, is uploaded to the virtual machine and run as if it is a real device,” Check Point said. “This is a prime example of malware developers learning from each other, as tactics that were introduced by one of them are quickly adopted by others.”

“The fraudulent ratings left by such malware is another reminder that users cannot rely on Google Play for protection, and must apply further, more advanced means of security,” they urged.

Man the Harpoons

Because it can do stuff on your device without you having to approve or even know about, HummingWhale could become a security breach more glaring than the Death Star’s thermal exhaust.

Google has already removed the HummingWhale apps from the Play Store after Check Point alerted them. If you want to scan for the malware, Check Point has an app you can use. Lookout, one of Check Point’s competitors, also has an app set up as well — note that it treats the threat as part of the Shedun malware family.

Dan Gooding of ArsTechnica also recommends that the more tech-savvy among you can check if your device ‘connects to a control server located at Package names for infected apps typically contain a common naming structure that includes, for example (app name: Whale Camera), (Rainbow Camera), and (Orange Camera)’. I’ve included a list of all known compromised apps and their naming structure below.

But if you suspect that you’ve got the Whale, it’s best to murder it violently with (digital) fire — back-up your data, write down your favorite apps, and perform a factory reset.

Infected Apps: – Whale Camera
com.op.blinkingcamera – Blinking Camera – Orange Camera – Ocean camera
io.zhuozhuo.snail.android_snails -蜗牛手游加速器-专业的vpn,解决手游卡顿延迟问题 – HiPorn – Cleaner: Safe and Fast – Fast Cleaner – Deep Cleaner – Rainbow Camera – com.qti.atfwd.core
com.wall.good.clevercamera – Clever Camera – Hot Cleaner – SmartAlbums
com.tree.tiny.cleaner – Tiny Cleaner – Topspeed Test2 – Orange Camera – FlappyCat
com.just.parrot.album – com.qti.atfwd.core
com.ogteam.elephanta.album – Elephant Album
gorer – File Explorer – Swan Camera – Smile Camera
com.air.cra.wars – com.qti.atfwd.core – Wow Camera-Beauty,Collage,Edit
com.start.super.speedtest – com.qti.atfwd.core – Shell Camera
com.ogteam.birds.album – com.qti.atfwd.core
com.tec.file.master – File Master – Whale Camera – HiPorn – Coco Camera – file explorer – Sweet Camera – Blinking Camera – Art camera – Ice Camera – Hot Camera
com.more.light.vpn – Light VPN-Fast, Safe,Free – Beauty Camera
com.bunny.h5game.parkour – Easter Rush Happy Camera – com.qti.atfwd.core – Clever Camera – Clever Camera