HummingBad Mucks Up Android’s Works

Malware imageMore than 85 million Android devices worldwide have been taken over by the Yingmob, a group of China-based cybercriminals who created the HummingBad malware, according to a Check Point report released last week.

HummingBad establishes a persistent rootkit on Android devices, generates fraudulent ad revenue, and installs additional fraudulent apps.

If it fails to establish a rootkit, it effectively carpet bombs the target devices with poisoned apps.

HummingBad has been generating revenue of US$300,000 a month, according to Check Point.


The malware runs along with legitimate ad campaigns that Yingmob has produced for its legitimate ad analytics business.

“We’ve long been aware of this evolving family of malware, and we’re constantly improving our systems that detect it,” a Google spokesperson said in a statement provided to reporters by company rep Aaron Stein. “We actively block installations of infected apps to keep users and their information safe.”

onent, SSP, uses a rootkit that exploits multiple vulnerabilities to try to root the target device.

SSP injects a library into the Google Play process using ptrace, Check Point said, which lets HummingBad imitate clicks on install/buy/accept buttons inside Google Play.

If rooting fails, the second component, CAP, installs fraudulent apps using elaborate techniques. It decrypts module_encrypt.jar from its assets when it launches on a device, then dynamically loads code containing the main malware functionality. Next it decrypts and runs a native daemon binary, among other things.

Regardless of whether the rooting succeeds, HummingBad downloads as many fraudulent apps to the target device as possible — a blend of several malicious components, many of them variations with the same functionality.

HummingBad Risk

HummingBad “is very hard to identify, very difficult to get rid of, and massively invasive,” said Rob Enderle, principal analyst at the Enderle Group.

“Alphabet has had a very poor reputation with regard to security, and it will be watched closely to see how quickly and permanently it can mitigate this exploit,” he told reporters.

“If done too poorly or slowly, it could quickly turn Android into an unacceptable risk for the entire industry.

HummingBad could stymie Google’s plans to embed Android more deeply into the auto industry, Enderle noted. Google has effectively built a car infotainment system into Nougat, the latest version of Android, he pointed out, and HummingBad “could easily have adverse implications with regard to driver safety.”