Live Active security incident? Get immediate response
MITRE ATT&CK® Malware

S0321: HummingWhale

HummingWhale is an Android malware family that performs ad fraud. [1]

MobileS0321MalwareObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

HummingWhale matters because it represents mobile malware used for ad fraud, turning enrolled or employee-used Android devices into sources of unwanted outbound traffic. For leaders, the practical issue is not only the fraud itself, but whether the organization can see risky mobile apps, investigate abnormal device traffic, and prove mobile control coverage when app-store-sourced software becomes untrusted.

Executive priority

Treat this as a mobile security and assurance use case: can the organization identify suspicious Android applications, validate mobile device posture, and collect enough evidence to support incident response, compliance questions, and acceptable-use decisions? Priority should be higher where personally owned or lightly managed mobile devices access corporate identity, email, cloud apps, or operational workflows.

Technical view

MITRE identifies HummingWhale as an Android malware family that performs ad fraud and relates it to T1643, Generate Traffic from Victim. Because no official ATT&CK detection guidance is provided for this object, SOC and IR teams should validate whether mobile security tooling, network monitoring, DNS/proxy logs, identity access logs, and device management records can connect suspicious outbound web traffic or app behavior back to a specific mobile device and installed application. The relationship to T1643 should drive review of outbound traffic generation patterns rather than assumptions about a specific infrastructure or campaign.

Likely telemetry

  • Mobile device management or mobile threat defense inventory showing installed Android applications and device posture
  • Network, DNS, proxy, or secure web gateway logs showing unusual outbound mobile web traffic
  • Mobile app permission and behavior data where available
  • Identity and cloud access logs to determine whether affected mobile devices also access corporate services
  • Incident response artifacts from the device, such as app package details, installation source, timestamps, and user/device ownership records

Detection direction

  • Validate that mobile telemetry exists before writing detections; ATT&CK provides no official detection text for HummingWhale.
  • Look for unusual outbound traffic generation from mobile devices, especially patterns inconsistent with user activity or expected app function.
  • Correlate network indicators with installed app inventory to reduce false positives from legitimate ad-supported applications and normal mobile background traffic.
  • Use the related T1643 context to test whether monitoring can identify traffic-generation behavior, not just known malware names.
  • Check blind spots around unmanaged BYOD devices, mobile traffic that bypasses enterprise proxies, and limited visibility into applications installed from public app stores.

Mitigation priorities

  • Prioritize mobile device governance for devices accessing corporate resources, including inventory, ownership, and minimum posture requirements.
  • Restrict or review risky mobile applications where management controls allow, especially apps with behavior inconsistent with business need.
  • Ensure mobile access to corporate identity and cloud services is conditional on device compliance where appropriate.
  • Prepare IR procedures for mobile malware triage, including how to preserve app, device, network, and identity evidence.
  • Use this object as a validation case for mobile security monitoring and audit evidence rather than relying on signature-only malware identification.
Analyst notes and limits

The strongest supported facts are that HummingWhale is an Android malware family associated with ad fraud and that it uses the mobile ATT&CK technique T1643, Generate Traffic from Victim. The supplied source also notes reporting about downloads from Google Play, but this take does not infer current exploitation or organizational exposure.

ATT&CK provides no official detection text, no tactics, and no explicit platform field for the HummingWhale object, although the description identifies it as Android malware. Local mobile management coverage, network architecture, and BYOD policy determine how actionable this behavior is in a specific environment.

Official MITRE ATT&CK definition

HummingWhale

HummingWhale is an Android malware family that performs ad fraud. [1]

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

1 rows
Domain ID Name Relationship / procedure
Mobile T1643 Generate Traffic from Victim

HummingWhale generates revenue by displaying fraudulent ads and automatically installing apps. When victims try to close the ads, HummingWhale runs in a virtual machine, creating a fake ID that allows the perpetrators to generate revenue.CitationArsTechnica-HummingWhale
Relationship explorer

All related ATT&CK context

uses · Technique T1643: Generate Traffic from Victim Mobile
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
f06132c261a67a78...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle f06132c261a6…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    ArsTechnica-HummingWhale

    Dan Goodin. (2017, January 23). Virulent Android malware returns, gets >2 million downloads on Google Play. Retrieved January 24, 2017.

    Open source URL
  2. [2]
    HummingWhale

    (Citation: ArsTechnica-HummingWhale)

  3. [3]
    mitre-attack S0321
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use