Check Point recently reported a surge in infections by a form of mobile malware known as "HummingBad," which has...
spread to approximately 10 million devices worldwide. The malware was traced to a Chinese mobile ad firm, Yingmob, which has been accused of using HummingBad to generate fraudulent ad clicks, among other things. How does HummingBad work and how has it spread to so many devices?
The main purpose of the HummingBad malware -- one of the biggest attacks so far against Android devices -- is to trick users into clicking on mobile and web ads to generate fraudulent advertising revenue.
The Yingmob cybercriminal group implicated in the click fraud racket is also thought to be behind the iOS malware YiSpecter; HummingBad and YiSpecter both use the same command and control (C&C) server addresses. The group also appears to be working in conjunction with a seemingly legitimate Chinese advertising analytics provider.
Extensive research by Check Point puts the launch of HummingBad at August 2015, this being the first month that shows up on the C&C server's dashboard. Since then, nearly 10 million users around the world have been infected, with Android users in China and India being the worst affected.
As Check Point did not find HummingBad-related malware on Google Play, most users have probably been compromised by installing infected apps from third-party stores or websites that don't vet the apps they host as rigorously as Google Play does. Another distribution technique used by Yingmob is drive-by download attacks, probably via various adult content sites.
Yingmob tries to root thousands of devices every day, and is successful in hundreds of attempts. Once installed, the HummingBad malware starts installing a variety of other malicious apps, more than 50,000 fraudulent apps per day globally, which display ads and create clicks. The combined figures are astounding: More than 20 million advertisements shown per day and a click rate of 12.5%, resulting in over 2.5 million clicks per day. This click fraud is generating $300,000 per month for the group in fraudulent ad revenue.
The HummingBad malware uses a multistage attack chain to establish a persistent rootkit, to install additional malicious apps and to generate fraudulent ad revenue. Some versions of the HummingBad malware contain encrypted exploits, while others download them from the C&C servers. HummingBad analyzes the device's configuration to choose how best to run the exploits. If it manages to gain root access to a device, it silently downloads and installs additional apps. If rooting fails, a second component attempts to get the user to grant HummingBad system-level permissions by using cleverly worded, fake notifications and other social engineering techniques.
As the HummingBad malware focuses on click fraud, it is classified as a Potentially Harmful Application by Google, but it has the capability to become far more dangerous. With root access, all data on a compromised device is at risk. With such a large install base, Yingmob could easily begin selling access to infected devices to other cybercriminals, carry out their own targeted attacks against businesses and government agencies, or begin stealing victims' personal information and account login details.
Users who start to experience unexpected "system update" notifications, prompts to install new apps, find apps on their device that they didn't download or notice a battery that drains more rapidly than normal should turn their device off and contact their IT department, who can quarantine the device and investigate whether it has been rooted by HummingBad or other similar auto-rooting malware.
Ask the Expert: Want to ask Michael Cobb a question about application security? Submit your questions now via email. (All questions are anonymous.)
Find out how the Triada Trojan can take over an Android device's core processes
Read how Qualcomm chip drivers have left 900 million Android devices vulnerable
Learn how to detect risky jailbroken devices in your enterprise
Dig Deeper on Mobile security threats and prevention
Related Q&A from Michael Cobb
An ad network used domain generation algorithms to bypass ad blockers and launch cryptomining malware. Expert Michael Cobb explains how and the best ... Continue Reading
Researchers at Duo Security discovered a SAML vulnerability that enabled attackers to dupe single sign-on systems. Expert Michael Cobb explains how ... Continue Reading
Hackers were able to exploit a Telegram vulnerability to launch cryptomining malware. Expert Michael Cobb explains how they were able to do so and ... Continue Reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.