For the past several months, the American security firm Check Point has been monitoring HummingBad, a new type of malware that targets mobile devices. Check Point says that there has been a spike in infected devices in recent months, reporting that, "HummingBad installs fraudulent apps to increase the revenue stream for the fraudster".
HummingBad can be difficult to detect because its malicious code is encrypted and often undetected by antivirus software. Once the malware is installed, it launches a silent attack vector that repeats itself until the objective is completed. HummingBad's attack consists of several stages that decrypt and unpack themselves, making it a self-deploying, multi-stage attack that exploits multiple vulnerabilities.
Check Point said in a 1 July blog post that HummingBad has become a more serious threat over time. The blog post links to a report on HummingBad that provides a great deal of statistical data and analysis. In this report, you can see that HummingBad became active in August 2015 and has since reached over 10 million Android devices, including 100,000 in Australia. Successful installation of the malware generates $420,000 in fraudulent ad revenue each month.
Check Point was able to follow the Command and Control servers from the original samples detected in February and trace the activity back to the source. Yingmob, a Beijing based mobile advertising analytics company, is the culprit behind HummungBad. Yingmob was the first group found to have employed malware in increasing ad traffic, but it is unlikely that they will be the last. The report also insinuates that ad revenue may not be the only objective moving forward, but that the malware could be used to encrypt and steal personal information.
Google said, "We've long been aware of this evolving family of malware and we're constantly improving our systems that detect it. We actively block installations of infected apps to keep our users and their information safe". The safety that Google wants is often difficult to attain due to the fact that Android employs third party hardware and as a result, it has a tougher time than iOS in getting its users to regularly update their phones.
With these recent revelations of malware attack, Google has made security patches independent from the rest of Android, allowing updates to be released monthly on Nexus and Pixel devices. Other companies that use Android software, including Samsung and LG, are following suit. Additional companies are not as quick to comply, leaving their customers exposed to a growing security threat.
If your device becomes infected with HummingBad malware, the suggested best course of action to fix the problem is to perform a factory reset—wiping the phone completely and reverting it to its original condition. This may be tedious and painstaking, as you will lose contacts, apps, and other information, but that is a small price to pay in order to keep your personal information out of the hands of those who would seek to profit from it.