According to Check Point researchers, there is a new variant of the HummingBad malware that was found hiding in more than 20 apps on Google Play.

Dubbed HummingWhale, the new variant is more capable of performing ad fraud better than ever before. It has been downloaded a few million times. HummingWhales command and control servers provide fake ads and apps to the installed malware. The way it works is that once the victim tries to close the ad, the app is uploaded to the virtual machine and runs as if it is a real device. This in turn creates the fake referrer ID, which the malware uses to generate revenues for the perpetrators.

HummingWhale was very prevalent in the first half of 2016 coming in fourth place as ‘the most prevalent malware globally’ list. It affected over 10 million users and generated $300,000 a month in ad revenue.

“It was probably only a matter of time before HummingBad evolved and made its way onto Google Play again,” said Check Point researchers, in a posting. “It allows the malware to install apps without gaining elevated permissions first, then disguises the malicious activity, which allows it to infiltrate Google Play. It also allows the malware to let go of its embedded rootkit since it can achieve the same effect even without it. It can install an infinite number of fraudulent apps without overloading the device.”

Google Play's security team has since removed the app.

Source: Info Security