HummingBad Malware Infects 85m Android Devices

Hummingbad is connected to the criminal Yingmob group who disseminate mobile adverts laced with malware to generate fraudulent ad clicks. This group installs more than 50,000 fraudulent apps each day, displays 20 million malicious advertisements and generates more than $300,000 per month in revenue.

Many variants of Hummingbad have been found in over 200 different apps. Infected Android devices can be remotely commanded by Yingmob to install additional malware. HummingBad sends notifications to Umeng, a tracking and analytics service used to manage the malware.

The malware uses a multistage attack chain to establish a persistent rootkit, to install additional malicious apps and to generate fraudulent ad revenue. Some versions of the malware contain encrypted exploits, while others download them from Command and Control servers. HummingBad analyses the device's configuration to choose how best to run the exploits. If it manages to gain root access to a device then it silently downloads and installs additional apps. If this fails then a second component attempts to get the user to grant system-level permissions to HummingBad by using fake notifications.

Root access puts all data on a compromised device at risk. With such a large install base, Yingmob could sell access to infected devices to other cybercriminals, carry out their own targeted attacks against businesses and government agencies, or steal victims' personal information and account login details.

Hashes:

• MD5: d14b9a62be312b52ad2896f6f6bc974d
• SHA1: 689a3c37290c14da0a5f0a882bb1643795b2e93d
• SHA256: a65f7dcf5eba2c68ef57e162a3de466e762613009c15b21844a572d1a4f1f834