{
	"id": "9891f890-fa15-44f8-a181-0a8a61e15f14",
	"created_at": "2026-04-06T01:29:21.795199Z",
	"updated_at": "2026-04-10T03:30:33.381282Z",
	"deleted_at": null,
	"sha1_hash": "3386e5a3ddea29037c41c6f3ef233acf5074bba1",
	"title": "Virulent Android malware returns, gets \u003e2 million downloads on Google Play",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 32279,
	"plain_text": "Virulent Android malware returns, gets \u003e2 million downloads on\r\nGoogle Play\r\nBy Dan Goodin\r\nPublished: 2017-01-23 · Archived: 2026-04-06 00:06:16 UTC\r\nA virulent family of malware that infected more than 10 million Android devices last year has made a comeback,\r\nthis time hiding inside Google Play apps that have been downloaded by as many as 12 million unsuspecting users.\r\nHummingWhale, as the professionally developed malware has been dubbed, is a variant of HummingBad, the\r\nname given to a family of malicious apps researchers documented in July invading non-Google app markets.\r\nHummingBad attempted to override security protections by exploiting unpatched vulnerabilities that gave the\r\nmalware root privileges in older versions of Android. Before Google shut it down, it installed more than 50,000\r\nfraudulent apps each day, displayed 20 million malicious advertisements, and generated more than $300,000 per\r\nmonth in revenue. Of the 10 million people who downloaded HummingBad-contaminated apps, an estimated\r\n286,000 of them were located in the US.\r\nHummingWhale, by contrast, managed to sneak its way into about 20 Google Play apps that were downloaded\r\nfrom 2 million to 12 million times, according to researchers from Check Point, the security company that has been\r\nclosely following the malware family for almost a year. Rather than rooting devices, the latest variant includes\r\nnew virtual machine techniques that allow the malware to perform ad fraud better than ever, company researchers\r\nsaid in a blog post published Monday.\r\n“Users must realize that they can no longer trust in installing only apps with a high reputation from official app\r\nstores as their sole defense,” the researchers wrote in an e-mail to Ars. “This malware employs several tactics to\r\nkeep its activity hidden, meaning users might be unaware of its existence on their device.”\r\nAs was the case with HummingBad, the purpose of HummingWhale is to generate revenue by displaying\r\nfraudulent ads and automatically installing apps. When users try to close the ads, the new functionality causes\r\nalready downloaded apps to run in a virtual machine. That creates a fake ID that allows the perpetrators to\r\ngenerate referral revenues. Use of the virtual machine brings many technical benefits to the operators, chief among\r\nthem allowing the malware to install apps without requiring users to approve a list of elevated permissions.\r\nSource: http://arstechnica.com/security/2017/01/virulent-android-malware-returns-gets-2-million-downloads-on-google-play/\r\nhttp://arstechnica.com/security/2017/01/virulent-android-malware-returns-gets-2-million-downloads-on-google-play/\r\nPage 1 of 1",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"http://arstechnica.com/security/2017/01/virulent-android-malware-returns-gets-2-million-downloads-on-google-play/"
	],
	"report_names": [
		"virulent-android-malware-returns-gets-2-million-downloads-on-google-play"
	],
	"threat_actors": [
		{
			"id": "0afff988-cf8a-443b-9e2e-8686e511d0ed",
			"created_at": "2023-01-06T13:46:38.45683Z",
			"updated_at": "2026-04-10T02:00:02.982791Z",
			"deleted_at": null,
			"main_name": "HummingBad",
			"aliases": [],
			"source_name": "MISPGALAXY:HummingBad",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "75108fc1-7f6a-450e-b024-10284f3f62bb",
			"created_at": "2024-11-01T02:00:52.756877Z",
			"updated_at": "2026-04-10T02:00:05.273746Z",
			"deleted_at": null,
			"main_name": "Play",
			"aliases": null,
			"source_name": "MITRE:Play",
			"tools": [
				"Nltest",
				"AdFind",
				"PsExec",
				"Wevtutil",
				"Cobalt Strike",
				"Playcrypt",
				"Mimikatz"
			],
			"source_id": "MITRE",
			"reports": null
		}
	],
	"ts_created_at": 1775438961,
	"ts_updated_at": 1775791833,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/3386e5a3ddea29037c41c6f3ef233acf5074bba1.pdf",
		"text": "https://archive.orkl.eu/3386e5a3ddea29037c41c6f3ef233acf5074bba1.txt",
		"img": "https://archive.orkl.eu/3386e5a3ddea29037c41c6f3ef233acf5074bba1.jpg"
	}
}