So, how does the malware work? HummingBad infects primarily through “drive-by download,” or by installing itself on devices that visit infected web pages and sites. It’s code, which is obfuscated by encryption, attempts to install itself on a given device persistently by multiple means. The first, a “silent operation” that occurs in the background, is triggered every time the device boots up and its screen turns on. Then, Hummingbad checks to see if the device’s user account is “rooted.” Using rootkit, the malware can take over an Android device by getting root access. If that fails, by using fake update notifications, the malware tries to trick the phone’s owner into giving it system-level permissions. Once the phone’s owner loses control of the device, the malware clicks on ads and downloads apps without permission, looking to generate advertising revenue. Yingmob’s ‘Development Team for Overseas Platform’ is said to be the group responsible for the malware. “The group is highly organized,” Check Point notes, “with 25 employees that staff four separate groups responsible for developing HummingBad’s malicious components.” More so, the group appears to be extremely successful, with revenue being generated as much as $300,000 per month from their malicious undertaking. The group also sells access to phones and gives away information stored on them. Currently, the most affected devices happen to be located in China (1.6 million) and in India (1.35 million). In the U.S., that number is 288,800 units. Collectively, Yingmob’s suite of malware now reaches 85 million phones and tablets and is now autonomously installing more than 50,000 apps a day, according to Checkpoint. “HummingBad uses a sophisticated, multi-stage attack chain with two main components. The first component attempts to gain root access on a device with a rootkit that exploits multiple vulnerabilities. If successful, attackers gain full access to a device. If rooting fails, a second component uses a fake system update notification, tricking users into granting HummingBad system-level permissions. Irrespective of whether rooting is successful, HummingBad downloads as many fraudulent apps to the device as possible. The malicious apps in the HummingBad campaign are made of a mix of several malicious components, many of which have variations with the same functionality. In some cases, the malicious components are dynamically downloaded onto a device after the infected app is installed.” – Checkpoint. From the time, the malware was discovered in February, Check Point has been monitoring the malware. So, in such a scenario, how do you protect yourself? The majority of the infected Android users are running the outdated KitKat version (4.4) of Android with the most current version, Marshmallow (6.0), making up only 1% of affected devices. While HummingBad is certainly worrisome, there are steps you can take to prevent yourself from becoming a victim.
