Saturday, January 18, 2025
HomeMalwareSophisticated Google Play Store Malware Affected over 10 Millions victims -Dont Download...

Sophisticated Google Play Store Malware Affected over 10 Millions victims -Dont Download These Apps

Published on

SIEM as a Service

Follow Us on Google News

New Android play Store Malware called HummingBad Download several million times by unsuspecting users and possible to gain all root access of the infected Android phone.

Check Point researchers have found a new variant of the HummingBad malware hidden in more than 20 apps on Google Play.

Earlier 2016, Check Point on customer’s devices was discovered this HummingBad Malware.According to the Check point Report,

” HummingBad stands out as an extremely sophisticated and well-developed malware, which employed a chain-attack tactic and a rootkit to gain full control over the infected device “

How This malware infect your Adroid Phone

Check point identified several new HummingBad samples which operate as the previous version did and begun to promote the new HummingWhale version as part of their activity.

This new malware was also heavily packed and contained its main payload in the ‘group.png’ file, which is, in fact, an apk, meaning they can be run as executables.

Check point Explained in blog,

” This .apk operates as a dropper, used to download and execute additional apps, similar to the tactics employed by previous versions of HummingBad”

This dropper went much further. It uses an Android plugin called DroidPlugin, originally developed by Qihoo 360, to upload fraudulent apps on a virtual machine.

First, the Command and Control server (C&C) provides fake ads and apps to the installed malware, which presents them to the user.

Once the user tries to close the ad, the app, which was already downloaded by the malware, is uploaded to the virtual machine and run as if it is a real device.

This action generates the fake referrer id, which the malware uses to generate revenues for the perpetrators.

All of the Malicious apps were uploaded under the names of fake Chinese developers. In addition to the camera family, researchers were able to identify 16 additional, distinct package names related to the same malware.

All the Related malware contain apps also Discovered in same Google play store.

However, the most suspicious property of these apps was a 1.3MB encrypted file called ‘assets/group.png’ – a suspiciously large file. Some later HummingBad samples disguised as an app called “file-explorer” had the exact same encrypted file with a similar size.

How this Malware Generate Revenue

  1. It allows the malware to install apps without gaining elevated permissions first.
  2. It disguises the malicious activity, which allows it to infiltrate Google Play.
  3. It allows the malware to let go of its embedded rootkit since it can achieve the same effect even without it.
  4. It can install an infinite number of fraudulent apps without overloading the device.
  5. HummingWhale also conducted further malicious activities, like displaying illegitimate ads on a device, and hiding the original app after installation, a trait which was noticed by several users

How many Victims Affected

The malware was spread through third-party app stores and affected over 10 million victims, rooting thousands of devices each day and generating at least $300,000 per month. 

HummingBad was so widespread that in the first half of 2016 it reached fourth place in ‘the most prevalent malware globally’ list, and dominated the mobile threat landscape with over 72% of attacks, Check Point Said.

Affected Package names:

  • com.bird.sky.whalecamera – Whale Camera
  • com.op.blinkingcamera – Blinking Camera
  • com.fishing.when.orangecamera – Orange Camera
  • com.note.ocean.camera – Ocean camera
  • io.zhuozhuo.snail.android_snails -蜗牛手游加速器-专业的vpn,解决手游卡顿延迟问题
  • com.cm.hiporn – HiPorn
  • com.family.cleaner – Cleaner: Safe and Fast
  • com.wall.fast.cleaner – Fast Cleaner
  • com.blue.deep.cleaner – Deep Cleaner
  • com.color.rainbow.camera –             Rainbow Camera
  • com.ogteam.love.flashlight – com.qti.atfwd.core
  • com.wall.good.clevercamera – Clever Camera
  • com.well.hot.cleaner – Hot Cleaner
  • com.op.smart.albums – SmartAlbums
  • com.tree.tiny.cleaner – Tiny Cleaner
  • com.speed.top – Topspeed Test2
  • com.fish.when.orangecamera – Orange Camera
  • com.flappy.game.cat – FlappyCat
  • com.just.parrot.album – com.qti.atfwd.core
  • com.ogteam.elephanta.album – Elephant Album
  • gorer – File Explorer
  • com.with.swan.camera – Swan Camera
  • com.touch.smile.camera – Smile Camera
  • com.air.cra.wars – com.qti.atfwd.core
  • com.room.wow.camera – Wow Camera-Beauty,Collage,Edit
  • com.start.super.speedtest – com.qti.atfwd.core
  • com.best.shell.camera – Shell Camera
  • com.ogteam.birds.album – com.qti.atfwd.core
  • com.tec.file.master – File Master
  • com.bird.sky.whale.camera – Whale Camera
  • cm.com.hipornv2 – HiPorn
  • com.wind.coco.camera – Coco Camera
  • global.fm.filesexplorer – file explorer
  • com.filter.sweet.camera – Sweet Camera
  • com.op.blinking.camera – Blinking Camera
  • com.mag.art.camera – Art camera
  • com.cool.ice.camera – Ice Camera
  • com.group.hotcamera – Hot Camera
  • com.more.light.vpn – Light VPN-Fast, Safe,Free
  • com.win.paper.gcamera – Beauty Camera
  • com.bunny.h5game.parkour – Easter Rush
  • com.fun.happy.camera- Happy Camera
  • com.like.coral.album – com.qti.atfwd.core
  • com.use.clever.camera – Clever Camera
  • com.wall.good.clever.camera – Clever Camera

This infected application has been reported to Google Security Team by Check point malware Research Team and google were Removed those all infected Applications.

Also Read : Gooligan Android Malware

Latest articles

Hackers Easily Bypass Active Directory Group Policy to Allow Vulnerable NTLMv1 Auth Protocol

Researchers have discovered a critical flaw in Active Directory’s NTLMv1 mitigation strategy, where misconfigured...

AWS Warns of Multiple Vulnerabilities in Amazon WorkSpaces, Amazon AppStream 2.0, & Amazon DCV

Amazon Web Services (AWS) has issued a critical security advisory highlighting vulnerabilities in specific...

FlowerStorm PaaS Platform Attacking Microsoft Users With Fake Login Pages

Rockstar2FA is a PaaS kit that mimics the legitimate credential-request behavior of cloud/SaaS platforms....

New Tool Unveiled to Scan Hacking Content on Telegram

A Russian software developer, aided by the National Technology Initiative, has introduced a groundbreaking...

API Security Webinar

Free Webinar - DevSecOps Hacks

By embedding security into your CI/CD workflows, you can shift left, streamline your DevSecOps processes, and release secure applications faster—all while saving time and resources.

In this webinar, join Phani Deepak Akella ( VP of Marketing ) and Karthik Krishnamoorthy (CTO), Indusface as they explores best practices for integrating application security into your CI/CD workflows using tools like Jenkins and Jira.

Discussion points

Automate security scans as part of the CI/CD pipeline.
Get real-time, actionable insights into vulnerabilities.
Prioritize and track fixes directly in Jira, enhancing collaboration.
Reduce risks and costs by addressing vulnerabilities pre-production.

More like this

New Botnet Exploiting DNS Records Misconfiguration To Deliver Malware

Botnets are the networks of compromised devices that have evolved significantly since the internet's...

Thousands of PHP-based Web Applications Exploited to Deploy Malware

A significant cybersecurity threat has emerged, threatening the integrity of thousands of PHP-based web...

RedCurl APT Deploys Malware via Windows Scheduled Tasks Exploitation

Researchers identified RedCurl APT group activity in Canada in late 2024, where the attackers...