HummingBad Malware Infects Over 10-Million Android Devices

More than 10 million Android phones have been infected with an annoying little piece of malware called HummingBad.
This malware looks to exploit a device’s data by stealing and selling it. While its tactics are fairly run-of-the-mill for malware—drive-by-download, data theft, etc.—HummingBad goes a step further by attempting to root itself.

Gaining “root access” to a device allows malicious users to gain administrative-level control capable of overriding any Android subsystems. Hackers exploit this mode of infection to cause the most damage, and to make their malware difficult to remove. Once HummingBad has rooted itself, it can force the user to click on ads and download apps, but there’s a little more to this malware than that.

Where did HummingBad come from?

In February of this year, cyber security firm Checkpoint Software detected a “new and unknown mobile malware targeting Android devices.” This malware was then traced to the Chinese mobile advertising firm, Yingmob—an organization run by cybercriminals. The concentration of infected devices steadily rose since Checkpoint’s discover and although it has spread across the world, China and India maintain the greatest concentration of infected units at one million cases each.
HummingBad targeted countries

The threat posed by HummingBad

HummingBad focuses on taking root in your phone, and it can do this one of two ways. When you visit an infected site, you experience what’s known as a drive-by-download attack. The malware will then try to gain root access by targeting the underlying Android system. If HummingBad can’t succeed there, it then prompts the user with a fake Android update; and if that works, they gain near full control of the device. Once it’s rooted, the malware goes to work “generating fraudulent advertising revenue” by clicking on ads and downloading apps, potentially without the user’s knowledge.
Reports say that the group responsible, Yingmob, have generated, on average, $300,000 per month by using their malware. Since they also have access to millions of Android devices across the globe, they have the potential to share and sell user information and device control, further growing their profits.
It is the group’s level of organization, access to resources, and organizational structure that make it such a threat, Check Point says in their report. This gives the group the power to do the following:

  • Display more than 20 million advertisements per day
  • Achieve a click rate of 12.5% equating to roughly 2.5 million clicks per day
  • Install more than 50,000 fraudulent apps daily
  • Generate more than $10,000 daily through click revenue and app purchases

How to tell if your phone has been infected

Downloading a malware scanner for your mobile device is the best way to protect yourself and check for any signs of malware. If you’ve found that your phone is infected, the only solution is a hard factory reset. Before you commit to a reset, make sure your files and contacts are backed up and you create a list of your most used apps.
HummingBad os version

How to avoid HummingBad malware and other malicious software moving forward

Here are some easy tips to remember that can save you a lot of hassle, stress, and factory resets:

  1. Only install apps from official stores, such as the Google Play store.
  2. Read reviews and do research on new or unknown apps to make sure they aren’t actually malware.
  3. Don’t download apps from untrusted stores, or untrusted apps from websites you’re not already very familiar with.

As malware becomes a more prevalent threat to mobile devices, and with the continued integration of employee-owned devices in the workplace it’s more important than ever to practice better browsing habits. If our devices become compromised and we connect to work servers or access important office documents, we could become responsible for spreading malware or even opening the door for a data breach.