A common recommendation that Android users get for avoiding malware is to stick with Google Play and not download any apps from other sources. Trouble is, as HummingBad proved early last year by penetrating the search giant’s defenses, that advice is not exactly bullet-proof.
The malware generated $300,000 in revenue every month and infected over 85 million devices, which, at the time, ran popular versions of Android, like KitKat and Jelly Bean. It was also one of the most dangerous pieces of malware in 2016, representing 72 percent of attacks on mobile and ranking fourth in Check Point’s list of “the most prevalent malware globally” in the first half of the year. But that is not the end of the saga, as a new variant, called HummingWhale, has been found on Google Play.
Multiple apps, infected by HummingWhale, have been published under the name of fake Chinese developers on the app store, notes Check Point’s report.