HummingBad Android malware infects over 10mn smartphones, Here’s how to detect it

A new Android malware called HummingBad have reportedly exploited at least 10 million Android devices from around the globe. According to an analysis by the IT Security company Check Point, which has been tracking the malware since discovering it in February, the number of attacks were steady, but they increased sharply in mid-May.

What makes HummingBad a thing to worry about is that it is coded by a highly organized team of Chinese cybercriminals that is working alongside a multimillion-dollar Beijing analytics company Yingmob. This group created the malware which takes over Android devices generating $300,000 per month in dwindling ad revenue.

How bad is this malware:

The group effectively controls an array of over 85 million mobile devices around the world and has the potential to sell access to these devices to the highest bidder. According to Check Point researchers, similar malware campaigns may become a trend.

First discovered in February 2016, HummingBad establishes a persistent rootkit on Android devices, generating fraudulent ad revenue, and installs additional illicit applications.

Tracking the command and control (C&C) servers accessed by the original HummingBad samples detected in February, researchers at Check Point found that the attackers’ cache belong to Yingmob, a Chinese mobile ad server company. Further investigation revealed that the HummingBad scam runs side by side with Yingmob’s legitimate advertising analytics business, using their technology and resources, to get control of millions of Android devices. The scam is generating $300,000 a month, establishing the fact that attacks like this can make the attackers financially self-sufficient.

The group is successful in rooting hundreds of Android devices using which it can create a botnet to carry out targeted attacks on businesses or government agencies. It can even sell the illegal access to those devices on the black market. Gaining unrestricted access to the devices and their sensitive data creates a steady stream of revenue for the cyber criminals. Strengthened by the financial and technological independence, their skills will improve, putting end users, enterprises, and government agencies at risk.

How does HummingBad work:

HummingBad works through drive-by download method by trying to gain root access on an Android device using a rootkit that makes use of numerous vulnerabilities. If successful, the attackers can gain full access to the device. If the first attempt of rooting does not work, a second attempt uses a fake system update notification, luring users into giving HummingBad system-level permissions. If any of the method works, HummingBad can download as many illicit apps to the device as possible. The fraudulent apps in the HummingBad campaign consist of several malicious components. In some cases, the malicious components are automatically downloaded to an Android device after installing the infected apps.

The sad part is that it is almost impossible for a normal smartphone user to get rid of HummingBad and the only way for it is to backup your data and perform a full factory reset. The most you could do is to not download apps from untrusted sources and avoid clicking on suspicious advertisements.