Security researchers at Check Point released their findings about HummingBad this week (pdf), after a five-month long analysis of the Android malware campaign. Since first discovered in February 2016, the malware has infected an estimated 10 million Android devices, earning its developer $300,000 a month in revenue from fraudulent ad clicks and app installs. While devices located in China and India make up a comparatively large percentage of infections, western nations like the United States and Mexico still have estimated victim counts of over 250,000 each.
The HummingBad campaign uses drive-by download attacks hosted on adult content sites to initially infect new victims. During infection, the malware attempts to obtain root access on the victim device by exploiting known Android vulnerabilities. If rooting fails, the malware instead creates a fake system update notification to trick users into granting it system-level permissions. During this rooting process, the malware also downloads several malicious components and apps which contain the actual malevolent functionality.
As mentioned earlier, HummingBad’s main intent is to earn revenue through illegitimate ads and fraudulent app installs. Device events such as booting, locking or unlocking your screen, and changing your network connectivity trigger the malware’s main process, causing it to display illegitimate ads that include a fake “close” button. Whether you click the ad or the “close” button, HummingBad’s developers earn revenue from the click. Throughout this process, the malware blocks you from returning to your home screen, making it very hard to avoid these evil ads.
While you’re inadvertently clicking these evil ads, another HummingBad process forcefully downloads and installs more unwanted applications on your device, helping earn the authors even more illicit revenue from something called “installation referrals”. Google Play includes mechanisms that share “INSTALL_REFERRER” information with app developers. This mechanism allows legitimate app developers to pay commissions whenever a customer buys or installs their app based on someone’s referral. The HummingBad malware includes a sophisticated process injection technique that can subvert the Google Play referral process. It can imitate clicks on the install/buy/accept buttons in the Google Play store, allowing the malware to simulate app installation referrals. The malicious process also can inject fake International Mobile Station Equipment Identity (IMEI) numbers during app installation, allowing the same app to be installed multiple times on the same device (which generates even more revenue for these criminals).
If forcing your device into an ad zombie wasn’t bad enough, HummingBad’s root capabilities potentially expose it up to even more foul play. With full system privilege, Attackers could easily leverage the army of HummingBad-infected devices to launch DDoS attacks or simply use its included functionality to load even worse malware onto infected devices.
Interestingly, Check Point’s report connects HummingBad to the Chinese advertisement and analysis company Yingmob—the same firm linked to the Yispecter iOS malware discovered towards the end of 2015. Yingmob applications, both legitimate and malicious, have an estimated installation base of 85 million devices according to the researcher’s findings. I find this very frightening since it puts Yingmob one malicious update away from creating a massive number of infected devices.
There are several steps you should take to protect your Android devices from becoming infected.
- First, avoid rooting your device. While rooting can enable beneficial functionality, which is normally locked down by your carrier, it leaves you wide open to malware installed via drive-by download attacks.
- Second, always keep your device updated with the latest available patches. By running the latest OS update, you limit the vulnerabilities attackers might exploit to install malware like HummingBad. That said, Google allows carriers to package their own versions of Android, and some carriers don’t use the latest Google Android versions. This means your device’s security may be more dependent on your carrier than the devices itself.
- Third, never install applications from unknown sources. By default, Android prevents users from installing applications that aren’t available in the Google Play Store (sideloading). Disabling this prevention leaves you at risk of installing malicious applications like HummingBad.
HummingBad is just the latest in an increasing series of attacks against mobile devices. With an estimated 2 billion smartphones in use worldwide, the incentive for attack is already there. Users need to make sure they are prepared for the incoming onslaught. –Marc Laliberte
July 13, 2016 
WatchGuard Security Center 