After Neowin reported this time last week how Google fights Android malware, firewall and security vendor Check Point has announced the discovery of a new variant of HummingBad, the malware that surfaced in February 2016 and earned its creators up to $300,000 per month in ad fraud revenue.

Ad fraud refers to a practice whereby malicious software is used to direct a device (or group of devices) to pay-per-visit adverts that are setup using referral paying ad networks. By generating large amounts of referrals to adverts setup by fraudsters from mobile devices, they rack up large payments from advertisers, even though the intended audience isn't actually seeing the adverts.

The new variant, dubbed HummingWhale, aims to achieve the same effect as HummingBad, but uses much more advanced methods than its predecessor, including starting up virtual machines on a user's device in order to generate fake unique referral ID's to fool advertisers. Unlike its predecessor, which relied on third party app stores, HummingWhale was spread as a legitimate looking app on the Google Play store itself.

Check Point outline the basic process used by HummingWhale in their technical analysis:

First, the Command and Control server (C&C) provides fake ads and apps to the installed malware, which presents them to the user. Once the user tries to close the ad, the app, which was already downloaded by the malware, is uploaded to the virtual machine and run as if it is a real device. This action generates the fake referrer id, which the malware uses to generate revenues for the perpetrators.

Able to install without elevated permissions and evade detection on the Google Play store by disguising itself as a camera app, the malware no longer relies on an embedded root kit to function, and is able to run an infinite number of fraudulent apps without overloading the compromised device.

The software was published to the Google Play store using the names of fake Chinese developers, and by the time they were taken down by Google, the app had been downloaded "several million times", according to the Check Point report. They point made out of these findings show that the inclusion of the malware is a reminder that "users cannot rely on Google Play for protection, and must apply further, more advanced means of security".

Source: Check Point | Image: Check Point (modified)