HummingBad is a recently disclosed set of malware apps that aims to make its creators lots of money by forcing clicks on ads and downloading apps. It does this by gaining elevated privileges on Android devices. Although this malware has apparently been around since early in 2016, there was a spike in installations in May, prompting increased awareness.
Users and organizations with Skycure have been protected against HummingBad the entire time, as Skycure’s predictive malware engine is able to detect even brand new and unknown malicious apps. Another recent malware, identified by Skycure Research Labs, is one that takes advantage of Android’s Accessibility Clickjacking vulnerability, also to gain elevated privileges to take over the device for spying or ransom. Skycure has analyzed the behavior of about a million apps in the last year and performed deep analysis across many factors, leveraging our massive crowd-sourced threat intelligence database to determine whether apps are malicious or safe.
HummingBad was created by a small group of developers at Yingmob, a multimillion-dollar advertising analytics agency based in Beijing, China. The malware attempts to root the device when first installed. If that fails, a fake system update notification appears to trick users into granting system-level permissions. Although these elevated privileges could allow the perpetrators to steal and sell confidential data, and potentially control the device in other ways, we have seen no evidence that this has happened yet, or that the malware is designed to do it. The focus of HummingBad seems to be solely an automated money generating machine, apparently raking in up to $300,000 per month. Regardless, allowing your device to be rooted is never a good thing. By far, the most infected devices are in China and India, with over a million infected devices each, but less than a quarter of that number affected in the US.
Skycure always recommends installing software from the Google Play store whenever possible to minimize the possibility of downloading malware. Our recent Mobile Threat Intelligence Report shows that third party app stores such as Aptoid contain malware at 72 times the rate of Google Play, or 1 out of every 23 apps. However, since early versions of HummingBad could be installed simply by visiting infected websites, having a good mobile threat defense solution is essential to protect yourself and your organization.
Check out Skycure’s Mobile Threat Intelligence Report, based on millions of monthly security scans around the world, to learn more about malware and how to protect your device and your organization.