During the past few days and weeks reports surfaced according to which a new type of malware has infected millions of smartphones and tablet PCs worldwide. The malware in question is highly lucrative for its makers – each month they can rake in up to 300.000 Euros in revenue. The makers of this malware work for an advertising company called “Yingmob” which is based out of China, say researchers of security firm Checkpoint. In the past the company has gained some notoriety for peddling an iOS malware dubbed “YiSpecter”.
In the case of HummingBad, an infected device is rooted automatically by a malicious app, i.e. the malware secures system permissions for itself, completely disabling the Android security framework. All Android versions appear to be affected, with a tendency towards Android 4.4 (“KitKat”).
The system permissions that the app gains are then used to download all manner of apps in the background, to display ad banners and generate clicks on websites. The commands for those actions are received from control servers at Yingmob. Through a ‘pay per click’ and ‘pay per install’ business model, the company earns substantial amounts of money on a daily basis – for each banner that is clicked and each app that is successfully installed, a certain amount of money goes to Yingmob. Though only fractions of a cent per click per device, the strength lies in numbers and secures the company revenues well within the four- to five digit range. The malicious app is either hidden in seemingly legitimate apps, but has also been spread via drive-by download, which requires no user interaction.
The procedure for ad banners is particularly devious: the only way to get rid of an ad banner is to tap on it. It cannot be circumvented using the “Back” button. However, each time the user tries to close a banner, a new app is downloaded and installed in the background, without the user being able to do anything about it.
At the time of writing, the primary objective of the malware is to make money. It is possible, however, to abuse infected devices for other purposes as well. One possibility would be DDoS attacks based on mobile devices. G DATA will continue monitoring the development in this area.
Users who have installed a G DATA solution on their mobile device are protected: the HummingBad malware is detected as "Android.Trojan.Iop.Y" or as "Android.Trojan.Agent.A".
A certain degree of protection can be achieved by only relying on Google’s own Play store for downloading apps. Granted, the Play store is not completely malware-free, but the chances of contracting a malicious app are significantly smaller than in other third-party app stores.
An infected device only can be made usable again is to perform a factory reset which will also delete any data which is not otherwise backed up.