HummingBad Malware Infects 85 Million Android Devices

A group of Chinese hackers dubbed Yingmob is using a sophisticated malware campaign called HummingBad to access and sell the info stored on Android devices. The malware may have already infected 85 million devices.

Nathan Eddy, Freelance Writer

July 9, 2016

3 Min Read
<p align="left">(Image: juniorbeep/iStockphoto)</p>

8 Reasons You Need A Security Penetration Test

8 Reasons You Need A Security Penetration Test


8 Reasons You Need A Security Penetration Test (Click image for larger view and slideshow.)

The security vulnerabilities of Google's open source mobile operating system Android are well known, and a report from security specialist Check Point reveals the platform's security issues may be intensifying.

The report tracked a group of hackers called Yingmob in China that controls an arsenal of more than 85 million mobile devices around the world. The group has the potential to sell access to these devices to the highest bidder. The report found that the group is able to generate about $300,000 in revenue each week through malicious ads.

Check Point researchers first discovered HummingBad, a malware that establishes a persistent rootkit on Android devices, generates fraudulent ad revenue, and installs additional fraudulent apps, in February.

The HummingBad campaign runs alongside a legitimate advertising analytics business, sharing its technology and resources. It also allows the group to create a botnet, carry out targeted attacks on businesses or government agencies, or sell the access to other cyber-criminals on the black market.

"Accessing these devices and their sensitive data creates a new and steady stream of revenue for cybercriminals," the report warned. "Emboldened by financial and technological independence, their skillsets will advance --putting end users, enterprises, and government agencies at risk."

The 24-page report revealed that any data on these devices is at risk, including enterprise data on those devices that serve dual personal and work purposes for end-users.

It's not only the number of devices affected, it's also the level of sophistication behind the campaign that security professionals found disconcerting.

The report explained that HummingBad uses a sophisticated, multi-stage attack chain with two main components, the first of which attempts to gain root access on a device with a rootkit that exploits multiple vulnerabilities.

If successful, attackers gain full access to a device, but if rooting fails, a second component uses a fake system update notification that tricks users into granting HummingBad system-level permissions.

"Yingmob may be the first group to have its high degree of organization and financial self-sufficiency exposed to the public, but it certainly won't be the last," the report concluded. "Check Point believes this dangerous trend will escalate as other groups learn from Yingmob and find new ways to achieve the independence they need to launch larger and more sophisticated attack campaigns in the future."

Google just released the largest set of Android security updates in its history. It issued a bulletin containing details of security vulnerabilities affecting Android devices -- but the security issues facing the platform persist.

[Read more about Google's two-step authentication.]

Trend Micro reported on June 21 that the mobile malware named GODLESS can target any Android running Android 5.1 (Lollipop) or earlier. The company reported that the malware has affected more than 850,000 devices worldwide and can even be found in prominent app stores such as Google Play.

Soon after, Cheetah Mobile estimated that a Chinese hacking organization was making $500,000 a day via a Trojan dubbed Hummer. Calling it the most prolific Trojan in history, the company reported that during the first half of 2016 alone, Hummer infected nearly 1.4 million devices worldwide. In China alone there were 63,000 infections a day.

Android is not the only platform suffering from security issues.

Based on findings in its third Mobile Threat Intelligence Report, Skycure discovered that in large enterprises 3% of all iOS devices have malware installed, though almost twice as many Android devices are likely to be infected.

About the Author

Nathan Eddy

Freelance Writer

Nathan Eddy is a freelance writer for InformationWeek. He has written for Popular Mechanics, Sales & Marketing Management Magazine, FierceMarkets, and CRN, among others. In 2012 he made his first documentary film, The Absent Column. He currently lives in Berlin.

Never Miss a Beat: Get a snapshot of the issues affecting the IT industry straight to your inbox.

You May Also Like


More Insights