2016 has been a crazy year for malware. Our devices have been plagued with viruses ranging from little colds such as adware all the way to the influenza-like ransomware. The flavor of choice over the past few months for android users has been an aggressive form of malware nicknamed "Hummingbad". Discovered in February of this year by the security company Check Point, Hummingbad's sole purpose is to generate money for its creator, advertising giant Yingmob. This isn't the first time Yingmob has been named responsible for a form of mobile malware. Back in October of 2015, a form of malware similar to Hummingbad named "YiSpecter" was infecting jailbroken and unjailbroken iOS devices all over mainland China and Taiwan.
So how does Hummingbad work? There are two answers to this question, a simple one and a complex one. Simply put, Hummingbad is a form of highly infectious adware that installs itself to your device via a rootkit. The adware is spread through something known as a "drive-by download attack" meaning it infects your device when you visit specific webpages. Once you visit an infected webpage, Hummingbad checks to see if your device is rooted. If it is, Hummingbad finds a nice place to settle down and get to work. If it's not, Hummingbad attempts to gain root access through a type of software called a rootkit. A rootkit is essentially a software package that takes advantage of multiple unpatched security exploits on your device to gain root access. In the case of Hummingbad, you will likely see a window pop up asking you to "install an application". If you give it permission, it will get the root access it needs to fully infect your device. Once it finds that nice place to settle down, Hummingbad starts its nefarious work.
As I said before, Hummingbad's purpose is to make money for its creator. It does so mainly by stealing advertising revenue. If your device is infected, Hummingbad will force-install seemingly random applications (through background downloaded apk files) by "clicking" on advertisements in the background without your knowledge. At times, it will also force full page advertisements on your screen and lock you out of any action except for clicking on the ad or downloading an application. For a more in-depth answer, you can look at Check Point's complete report.
Here's the kicker, Hummingbad has infected more than 10 million devices and generates over $300,000 in revenue per month! Of the infected devices, the bulk are located in China, India, the Philippines, Indonesia, and Turkey with more than a million infected devices per country. The US only has around 288,000 infected devices and the UK and Australia have around 100,000 each.
So, the question is, how do we protect ourselves? There are a number of applications that can detect Hummingbad including Check Point's Zone Alarm, Lookout Security & Antivirus, AVG Antivirus, and Avast Mobile Security & Antivirus. Unfortunately, these applications can only detect Hummingbad's presence and, like a flu test, can't do anything to remove the infection. The only confirmed way to remove Hummingbad is to do a complete factory restore of your device. In terms of protection, the only way to try to protect ourselves from these kinds of attacks is to only download applications from trusted places and developers such as through the Google Play Store and to keep our devices as up-to-date as possible.
In the words of Check Point, "Yingmob may be the first group to have its high degree of organization and financial self-sufficiency exposed to the public, but it certainly won't be the last." We all have to be on the lookout for new types of malware as they crop up, especially on the ever-growing mobile device platform.
Sources: 1 and 2
