Security

HummingBad malware infects 10 million Android devices, millions more at risk

A new malware called HummingBad, associated with Chinese cyber criminals Yingmob, has infected millions of devices and brings in millions of dollars of fake ad revenue.

Image: iStockphoto/Kirill_Savenko

When it comes to malware, Android users can't seem to catch a break. According to mobile threat researchers from Check Point, a cyber security solutions provider, a recently-discovered Android malware called HummingBad has infected 10 million Android devices worldwide.

Yes, you read that correctly—10 million devices. But, that is just the beginning. Millions more devices could be at risk from HummingBad, or other malware created by the company behind it.

SEE: 1.2 million infected: Android malware 'Hummer' could be biggest trojan ever (TechRepublic)

This latest information Check Point researchers gathered on HummingBad was released on July 1 in From HummingBad to Worse, a report detailing what the team had learned about the malware. HummingBad was first discovered in February, and it "establishes a persistent rootkit on Android devices, generates fraudulent ad revenue, and installs additional fraudulent apps," according to the report. Currently, it's estimated to be generating $300,000 per month in fraudulent ad revenue.

The party behind HummingBad is a group Chinese cyber criminals known as Yingmob. The group has 25 employees across four different groups that maintain the components of HummingBad. Furthermore, they also provide legitimate advertising analytics products and share their tools and resources among their teams. Yingmob is also suspected to be behind the iOS malware called Yispecter.

While 10 million devices are affected by HummingBad at present, Check Point said that Yingmob has some degree of control over 85 million mobile devices in total. Only a quarter of those devices have some sort of malicious software installed on them, but Yingmob sells access to the devices and information about them to buyers.

China tops the list of most affected by the malware, with 1.6 million devices. India, with 1.35 million cases, comes in second place, respectively. The Philippines takes third place with 520,901 cases. There are 286,800 infected devices in the US.

In terms of affected OS versions, it breaks down like this:

  • KitKat - 50%
  • Jelly Bean - 40%
  • Lollipop - 7%
  • Ice Cream Sandwich - 2%
  • Marshmallow - 1%

HummingBad installs more than 50,000 fraudulent apps each day, and displays more than more than 20 million ads per day in these apps. IT admins should be wary because this put their organization's data at risk.

"With these devices, a group can create a botnet, carry out targeted attacks on businesses or government agencies, and even sell the access to other cybercriminals on the black market," the report said. "Any data on these devices is at risk, including enterprise data on those devices that serve dual personal and work purposes for end users."

SEE: Skyrocketing Android ransomware has quadrupled over past year, says new report (TechRepublic)

HummingBad uses a multi-stage attack chain with multiple components. If the initial rooting attempt fails, it makes use of a fake system update notification, to try and trick the user into granting permissions. The malware can install silently if the device is already rooted, so if your device is rooted you may already be in trouble. Also, remember to turn off "unknown sources" in your security settings to further protect yourself.

To get updates, one of the main components in HummingBad uses a JSON file downloaded from d1qxrv0ap6yf2e.cloudfront[.]net/domain/xxx.json. If you have logging enabled, and notice a similar address, that could be a sign that something is wrong. To find out more about how HummingBad works, and to see the possible values associated with it, check out the later pages of the Check Point report.

Malware has long been an issue in the Android ecosystem, but it has been ramping up in recent weeks. The HummingBad announcement came on the heels of another report from Cheetah Mobile, detailing the Hummer trojan affected nearly 1.4 million devices. Additionally, incidents of ransomware on Android devices have jumped dramatically as well.

The 3 big takeaways for TechRepublic readers

  1. Chinese company Yingmob is suspected to be behind Hummingbad, a malware affecting 10 million Android devices worldwide, according to a report from Check Point.
  2. Yingmob also operates a legitimate advertising analytics service, and the company has access to 85 million devices, which they can sell access to if the right buyer comes along.
  3. Malware continues to grow as a major concern in the Android ecosystem, with issues like HummingBad affecting millions of devices, and trojans such as Hummer also running rampant.

Also see

About Conner Forrest

Conner Forrest is a Senior Editor for TechRepublic. He covers enterprise technology and is interested in the convergence of tech and culture.

Editor's Picks

Free Newsletters, In your Inbox