Sergey Nivens - Fotolia

Problem solve Get help with specific problems with your technologies, process and projects.

How does the HummingBad malware enable click fraud?

The HummingBad malware has infected 10 million mobile devices worldwide. Expert Michael Cobb explains how this exploit enables click fraud and other risks for users.

Check Point recently reported a surge in infections by a form of mobile malware known as "HummingBad," which has spread to approximately 10 million devices worldwide. The malware was traced to a Chinese mobile ad firm, Yingmob, which has been accused of using HummingBad to generate fraudulent ad clicks, among other things. How does HummingBad work and how has it spread to so many devices?

The main purpose of the HummingBad malware -- one of the biggest attacks so far against Android devices -- is to trick users into clicking on mobile and web ads to generate fraudulent advertising revenue.

The Yingmob cybercriminal group implicated in the click fraud racket is also thought to be behind the iOS malware YiSpecter; HummingBad and YiSpecter both use the same command and control (C&C) server addresses. The group also appears to be working in conjunction with a seemingly legitimate Chinese advertising analytics provider.

Extensive research by Check Point puts the launch of HummingBad at August 2015, this being the first month that shows up on the C&C server's dashboard. Since then, nearly 10 million users around the world have been infected, with Android users in China and India being the worst affected.

As Check Point did not find HummingBad-related malware on Google Play, most users have probably been compromised by installing infected apps from third-party stores or websites that don't vet the apps they host as rigorously as Google Play does. Another distribution technique used by Yingmob is drive-by download attacks, probably via various adult content sites.

Yingmob tries to root thousands of devices every day, and is successful in hundreds of attempts. Once installed, the HummingBad malware starts installing a variety of other malicious apps, more than 50,000 fraudulent apps per day globally, which display ads and create clicks. The combined figures are astounding: More than 20 million advertisements shown per day and a click rate of 12.5%, resulting in over 2.5 million clicks per day. This click fraud is generating $300,000 per month for the group in fraudulent ad revenue.

The HummingBad malware uses a multistage attack chain to establish a persistent rootkit, to install additional malicious apps and to generate fraudulent ad revenue. Some versions of the HummingBad malware contain encrypted exploits, while others download them from the C&C servers. HummingBad analyzes the device's configuration to choose how best to run the exploits. If it manages to gain root access to a device, it silently downloads and installs additional apps. If rooting fails, a second component attempts to get the user to grant HummingBad system-level permissions by using cleverly worded, fake notifications and other social engineering techniques.

As the HummingBad malware focuses on click fraud, it is classified as a Potentially Harmful Application by Google, but it has the capability to become far more dangerous. With root access, all data on a compromised device is at risk. With such a large install base, Yingmob could easily begin selling access to infected devices to other cybercriminals, carry out their own targeted attacks against businesses and government agencies, or begin stealing victims' personal information and account login details.

Users who start to experience unexpected "system update" notifications, prompts to install new apps, find apps on their device that they didn't download or notice a battery that drains more rapidly than normal should turn their device off and contact their IT department, who can quarantine the device and investigate whether it has been rooted by HummingBad or other similar auto-rooting malware.

Ask the Expert: Want to ask Michael Cobb a question about application security? Submit your questions now via email. (All questions are anonymous.)

Next Steps

Find out how the Triada Trojan can take over an Android device's core processes

Read how Qualcomm chip drivers have left 900 million Android devices vulnerable

Learn how to detect risky jailbroken devices in your enterprise

This was last published in December 2016

Dig Deeper on Mobile security threats and prevention