What is HummingBad and do you have it

Rapid Yvonne
Posted on July 06, 2016, 12:10 am
7 mins

According to a report from Cyber security software company Check Point, recent updates to Android malware called HummingBad has infected more than 10 million smartphones and tablets, and could be installed on nearly 85 million devices around the globe.

In the report, Check Point wrote that it set out to learn more about how hackers conduct mobile malware initiatives. In the case of HummingBad, researchers spent five months examining the malware’s inner workings.

This investigation uncovered critical insights on how attackers conduct mobile malware campaigns:

  • The HummingBad campaign runs alongside a legitimate advertising analytics business, sharing
    their technology and resources, enabling it to control tens of millions of Android devices
  • The campaign generates $300,000 a month; proving attacks can achieve financial self-sufficiency

The latest body count in HummingBad’s efforts clocked in at around 10 million devices, but the numbers don’t stop there, as it is estimated that the malware’s fraudulent ad revenue chalked in at $10,000 a day, or around $300,000 per month, implying that, “attacks can achieve financial sufficiency.”

While victims are spread worldwide, India and China take the lead. The top 20 countries with infected devices have more than 100,000 victims each.

What is HummingBad and do you have it

The malware is installing more than 50,000 apps a day and has been discovered on all versions of Android from Ice Cream Sandwich upwards.

What is HummingBad and do you have it

What is HummingBad

HummingBad is the brainchild of a group of developers called Yingmob. The team operates alongside a legitimate Chinese advertising and analytics company based in Beijing. The Yingmob shares its resources and technology with HummingBad. HummingBad is a move to generate ad revenue and earn hundreds of thousands of dollars. Simply by faking clicks on a device.

HummingBad started out as typical “drive-by attacks” where Android devices were infected after visiting a website, but has since grown into something much more powerful.

HummingBad works by attacking the root system of Android smartphones and tablets running Android Ice Cream Sandwich, all the way up to the latest Android 6.0.1 Marshmallow. If root access isn’t achieved, another level is granted (if successful) after the fake system update notification.

Once done the malware essentially takes over certain aspects of the device. From here it downloads apps from Stores, clicks ads online, and shares other malicious software. All of this ends up making Yingmob nearly $300,000 a month through false clicks and app downloads.

Check Point went on to say “could” be done with this malware.

“The group tries to root thousands of devices every day and is successful in hundreds of attempts. With these devices, a group can create a botnet, carry out targeted attacks on businesses or government agencies, and even sell the access to other cybercriminals on the black market. Any data on these devices is at risk, including enterprise data on those devices that serve dual-personal and work purposes for end users”/em>

The research firm went on to state that YingMob could potentially sell information gathered from devices, or even sell access to a large group of devices on the black market.

Do you have HummingBad Malware?

No, most likely you do not have the HummingBad malware infection on your smartphone or tablet. From what we understand roughly 288,000 devices in the United States could be infected, and under 100,000 in the UK or Australia. It looks like bigger markets near the company like China are with 1.6 million, and India having possibly 1.4 million devices at risk.

The number is actually under 10 million in total, which is still a lot. The report states 84 million devices simply because YingMob has the reach to access that many devices. It doesn’t mean they’re all infected, or ever will be.

The scary part of this report is that only a small select group of devices had HummingBad malware installed, but in May they saw a huge spike, which spawned the report and findings to go public. At the end of the day you don’t have anything to worry about, especially if you use caution with what is clicked, where you download apps, and if you use secure devices with security measures like Samsung KNOX.

China and India are huge markets with millions of cheap Chinese knock-offs or budget devices with stock Android, outdated software with poor security, and other situations. The image above shows most infected are running outdated versions of Android.

Can I Check for HummingBad

While it looks like this malware isn’t all that much of a problem, especially in the UK or United States, and isn’t doing anything extremely malicious (aside from making phony clicks to earn tons of money) it’s still something users should somewhat be aware of.

No information has been released regarding how to check for HummingBad malware on devices, or how to remove it. That said, most likely your device is not infected. There are countless virus scanners and preventative apps on the Google Play Store that could scan and check for infections, if you feel the need.

A Google spokesperson stated:

“We’ve long been aware of this evolving family of malware and we’re constantly improving our systems that detect it,”

“We actively block installations of infected apps to keep users and their information safe.”

At the end of the day it’s all about using common sense. Only download apps from the Google Play Store, use caution in regards to what you click on or download, and be smart. Google’s continuously updating Android to be more secure, has promised monthly security patches and more.

Rapid Yvonne
Rapid Yvonne is our Android expert. Proficient in developing for the Android platform, Yvonne handles all our clients who have issues with developing for the Android platform. Born and raised in France, she has a tendency to mumble to herself in French, which seriously gets to the rest of the team.