pixel_dreams - Fotolia

HummingBad Android malware highlights worrying trend, say researchers

Security researchers uncover a cyber crime operating model that provides financial self-sufficiency, which they fear will enable larger and more sophisticated campaigns in the future

Security researchers have traced the HummingBad Android malware to a seemingly legitimate advertising analytics firm in China, highlighting a worrying trend in cyber criminal operations. 

HummingBad is believed to have infected more than 85 million Android devices to yield $300,000 a month in fraudulent mobile ad revenue.

This has been achieved by running the 25-employee malware operation alongside a legitimate business that provides the required funding, infrastructure, technology and skills, according to researchers at security firm Check Point, which has been tracking HummingBad for the past five months.

The security researchers believe this model that provides a high degree of organisation and financial self-sufficiency will escalate, enabling larger and more sophisticated campaigns in the future as their skills advance.

HummingBad, spread mainly by the drive by download technique that requires no interaction from the victim, establishes a persistent rootkit on Android devices, generates fraudulent ad revenue and installs additional fraudulent apps.

Abusing many ad server software development kits (SDKs) and defrauding them for revenue, the researchers said HummingBad uses the entire spectrum of paid events for its operation, including displaying ads, creating clicks and installing fraudulent apps.

But the researchers warn that financial gain is just the tip of the iceberg because the group, known as Yingmob, also succeeds in rooting hundreds of devices every day.

With these devices, a group can create a botnet, carry out targeted attacks on businesses or government agencies, and even sell the access to other cyber criminals on the black market, the researchers wrote in a blog post.

Read more about mobile malware

Any data on these devices is at risk, including enterprise data on those devices that serve dual personal and work purposes for users.

Accessing these devices and their sensitive data creates a steady stream of revenue for cyber criminals, the security researchers warn.

HummingBad also appears not to be the only malware campaign being run by Yingmob, as other research groups have associated the same group with the Yispecter malware for Apple iOS.

According to Check Point, Yispecter uses Yingmob’s enterprise certificates to install itself on devices, while HummingBad and Yispecter share command and control (C&C) server addresses, and both install fraudulent apps to gain revenue.

The research team estimates that nearly 10 million people worldwide are using malicious apps spread by HummingBad, with most victims in China (1.6 million) and India (1.3 million).

The 20 countries topping the infection list with at least 100,000 victims include the US (286,800), Russia (207,940), Turkey (448,285) and Brazil (366,566).

The most targeted versions of Android are KitKat (50%), followed by Jelly Bean (40%) and Lollipop (7%). ....... .... ... ... ... ... ... ... ... .... ...  ... ... .. ..

Read more on Hackers and cybercrime prevention