New HummingWhale Android Malware Infects Millions of Users

A newly discovered version of the infamous HummingBad Android malware known as HummingWhale has been identified, the threat has already infected millions of users.

HummingWhale Android Malware Spawns From HummingBad Origins

Check Point Security experts discovered a new iteration of the infamous HummingBad Android Malware. According to their findings the new version includes several dangerous additions. It is dubbed as HummingWhale and builds upon the successful attacks of its core origin. The HummingBad virus was notorious for accounting for over 72% of the Android malware attacks in the first half of 2016. The researchers suspect that was able to compromise around 10 million Android smartphones and tablets at the time. The new HummingWhale Android malware includes cutting edge techniques that allow it to conduct dangerous system infections.

HummingWhale Android Malware Distribution

HummingWhale spreads mainly through counterfeit apps that are spread across the Google Play Store. All of these applications are uploaded using various fake Chinese developer names. A handful of various camera apps and 16 distinct package are related to the malware. Third-party repositories are also notable for spreading the malware.

All of the samples packed the malware in a payload found in the group.png file. It serves as a dropper which downloads and executes additional commands. The new addition is that it uses the DroidPlugin developed by Qihoo 360.

HummingWhale Android Impact

Once the HummingWhale Android malware is on the affected machines it creates several boot entries which are used to infiltrate the devices and set up a persistent environment. A connection with the remote C&C servers is used to provide fake advertising and applications to the devices. If the victim chooses to close the displayed advertising, a malicious app is executed to subvert the device. The developers of the virus have used a clever algorithm that uses a virtual machine to generate the displayed ads. This is a good way of infecting devices without gaining elevated privileges. It also serves as a stealth detection technique which has allowed the malware to infect various Google Play applications.


The HummingWhale malware is known for conducting illegal reputation ranking by instituting fraudulent comments and ratings from the infected users. Google has already removed all known apps on the Google Play repository. However the researchers are not able to detect on how many third-party stores the malware may have used in other attacks.

Was this content helpful?

Author : Martin Beltov

Martin graduated with a degree in Publishing from Sofia University. As a cyber security enthusiast he enjoys writing about the latest threats and mechanisms of intrusion.

Related Posts

Leave a Reply

Your email address will not be published. Required fields are marked *