Android Hummingbad Malware: What You Need to Know

According to a recent report some new Android malware called HummingBad has infected more than 10 million smartphones and tablets, and could be installed on nearly 85 million devices around the globe. Obviously news like this is worrisome, and here’s what we know so far.

Advertisement

Cyber security software company Check Point recently released their findings on HummingBad, which has lead to tons of reports claiming millions of users everywhere are at risk.

Similar to the StageFright scare in 2015, users need to know all the details before jumping to conclusions. While Stagefright had the potential to infect a billion devices, HummingBad doesn’t, and isn’t nearly as widespread as the security firm wants everyone to believe. Below is what users need to know about the Android HummingBad malware.

Android-Broken-640x353

News about a virus or malware pop up all the time, for both Android and iOS, and often times the situation isn’t nearly as deadly as some would have us believe. That said, it’s who is responsible for this one that should have users worried today, and in the future.

Advertisement

The problem with this new report isn’t about how many devices are infected or what it’s doing, but that an actual legitimate company is behind the attacks and infection. According to Check Point a team of nearly 25 developers at a multi-million dollar advertising company based in Beijing, called Yingmob is the cause for all this noise.

Advertisement

Yingmob is an advertisement and analytics company that makes millions of dollars off clickable ads, pop-ups and even app downloads. Other reports suggest this same company is behind some recent iPhone attacks too. Here’s what we know.

Do I Have HummingBad Malware?

No, most likely you do not have the HummingBad malware infection on your smartphone or tablet. From what we understand roughly 288,000 devices in the United States could be infected, and under 100,000 in the UK or Australia. It looks like bigger markets near the company like China are with 1.6 million, and India having possibly 1.4 million devices at risk.

Screen Shot 2016-07-05 at 11.10.59 AM

The number is actually under 10 million in total, which is still a lot. The report states 84 million devices simply because YingMob has the reach to access that many devices. It doesn’t mean they’re all infected, or ever will be.

Advertisement

The scary part of this report is that only a small select group of devices had HummingBad malware installed, but in May they saw a huge spike, which spawned the report and findings to go public. At the end of the day, no, you don’t have anything to worry about. Especially if you use caution with what is clicked, where you download apps, and if you use secure devices with security measures like Samsung KNOX.

China and India are huge markets with millions of cheap Chinese knock-offs or budget devices with stock Android, outdated software with poor security, and other situations. The image above shows most infected are running outdated versions of Android.

What is HummingBad

From what we’ve gathered so far HummingBad isn’t malware that’s doing anything malicious, and is more a move to generate ad revenue and earn hundreds of thousands of dollars. Simply by faking clicks on a device. Of course having root access to a smartphone or tablet is never good, but we aren’t seeing signs of anything extremely malicious.

HummingBad started out as typical “drive-by attacks” where Android devices were infected after visiting a website, but has since grown into something much more powerful in the effort to earn more money.

According to the Check Point report the company tries to root thousands of smartphones each and every day, which gives the company access to the system level of a device, which is where the malware activities take place. Many are successful, but most fail which then causes a second attempt via a fake “system update notification”. If a user clicks this, HummingBad is granted certain system-level permissions.

Advertisement

201310DIY-Android-Malware-Analysis-Taking-apart-OBAD

The end result of a device being infected with HummingBad appears to be automatically clicking ad links, and downloading tons of apps from shady places following a link, all aimed at making a profit. Check Point states nearly 50,000 apps are installed daily.

That said, if the company truly has infected 84 million Android devices, something much more malicious could happen, but doesn’t appear to be happening yet.

How HummingBad Works

HummingBad works by attacking the root system of Android smartphones and tablets running Android Ice Cream Sandwich, all the way up to the latest Android 6.0.1 Marshmallow. If root access isn’t achieved, another level is granted (if successful) after the fake system update notification.

Advertisement

Once done the malware essentially takes over certain aspects of the device. From here it downloads apps from Stores, clicks ads online, and shares other malicious software. All of this ends up making Yingmob nearly $300,000 a month through false clicks and app downloads.

Check Point went on to release this statement, which is essentially what “could” be done with this malware.

“The group tries to root thousands of devices every day and is successful in hundreds of attempts. With these devices, a group can create a botnet, carry out targeted attacks on businesses or government agencies, and even sell the access to other cybercriminals on the black market. Any data on these devices is at risk, including enterprise data on those devices that serve dual personal and work purposes for end users”

The research firm went on to state that YingMob could potentially sell information gathered from devices, or even sell access to a large group of devices on the black market.

Can I Check for HummingBad

While it looks like this malware isn’t all that much of a problem, especially in the United States, and isn’t doing anything extremely malicious (aside from making phony clicks to earn tons of money) it’s still something users should somewhat be aware of.

No information has been released regarding how to check for HummingBad malware on devices, or how to remove it. That said, most likely your device is not infected. There are countless virus scanners and preventative apps on the Google Play Store that could scan and check for infections, if you feel the need.

Other Details

So far there has been no comment from Google, or the company reportedly responsible, Yingmob, but we’ll be on the lookout for any information. We hear stores like this often, sadly, but most of the time they aren’t nearly as big of a concern as some make it out to be.

At the end of the day it’s all about using common sense. Only download apps from the Google Play Store, use caution in regards to what you click on or download, and be smart. Google’s continuously updating Android to be more secure, has promised monthly security patches and more. We’ll update once we learn more.