HummingBad, an Android malware that appeared in early 2016, has evidently resurfaced with a few tweaks under the name HummingWhale and has even managed to find its way into the Play Store. The malware was found by Check Point, the same security group that outed the original HummingBad. By zeroing in on the code contained in the malware itself and searching the Google Play Store for that string, Check Point managed to find 20 different apps containing the malware and reported them to Google. Since then, the apps known to contain HummingWhale have been removed by Google, but caution is still advised.
The apps containing HummingWhale included the likes of Whale Camera, Elephant Album, and Deep Cleaner. The identified apps generated millions of downloads before getting pulled from the Google Play Store. In order to check if your device has been infected and purge the infection if it has, a security and anti-malware app like Lookout or Avast should be your first choice. If these apps are unable to purge the malware from your system, a factory reset may be in order. Custom ROM users should probably wipe everything except their internal and external storage in their recovery of choice and reflash their ROM, GAPPS, kernel, and any mods to be on the safe side.
In its original form, HummingBad used a privilege escalation bug of sorts by packaging an APK as an app asset. When called, that asset would generate a virtual device and load a copy of a fraudulent app onto it, generating a unique referral ID and a bit of ad revenue. This happened each time a user closed an ad generated by the app, and as the virtual machine would disappear, users were left clueless about what happened. These virtual machines could also be used to leave fake Play Store ratings and use popularity fraud to silence hundreds of users outing the fake apps in their review sections. The exploit was only used to generate fraudulent ad revenue, but could easily have gained control of infected devices. HummingWhale is much the same, except it hides its malicious code from the Google Play Store and Google’s on-device malware filters with a bit of clever code manipulation to do all the things that HummingBad’s rootkit did.