A new variant of the advanced Android HummingBad malware has spread to apps in the Google Play store, security researchers have found.
Dubbed HummingWhale by security vendor Check Point, the malware was uploaded to Google Play using fake Chinese developer names. Check Point said it had found HummingWhale in over 20 apps which had bypassed Google's protection measures.
HummingWhale utilises what Check Point said are cutting edge techniques to conduct ad fraud to generate revenue for its developers.
This includes the use of a disguised Android application package (APK) file that acts as a dropper which downloads and runs further apps, Check Point said.
The dropper uses an Android plugin developed by Chinese security vendor Qihoo 360 to upload fraudulent apps to a virtual machine.
Using a virtual machine allows HummingWhale to install other apps without having to elevate permissions, and disguises malicious acitivity. The latter tactic allows HummingWhale to infiltrate Google Play, Check Point said.
Thanks to the virtual machine, HummingWhale no longer needs to root Android devices, and can install any amount of malicious, fraudulent apps without overloading user handsets.
Apps run on the virtual machine as if it is a real device, generating a fake referrer identification used to spoof unique users for ad fraud purposes. HummingWhale also copies the Gooligan malware tactic of using fake ratings and comments to raise its reputation on Google Play.
The motivation for HummingWhale, and its predecessor, HummingBad, is to earn money via ad fraud and fake app installs, Check Point said.
The firm released a report in July last year, detailing how Chinese mobile advertising and analytics company Yingmob used the HummingBad malware to serve up millions of ads and to install apps.
HummingBad spread through third-party app stores, infecting over 10 million devices, making the malware one of the most prevalent for Android last year.
Yingmob is believed to earn around US$300,000 a month from the malware.