Millions of Android devices (about 10 million to be more exact) are infected by Hummingbad, a piece of malware that gains root access, installs malicious apps, and dupes users and ad networks in an elaborate fraud campaign. This is what researchers from Check Point discovered after a 5-month long study. While ad networks are currently the main victims, the level of sophistication of these attacks can potentially threaten a lot of businesses.
Infection and attack
Hummingbad primarily uses a drive-by download attack to infect devices. That means, your device can get infected if you happen to visit one of the attackers’ malicious websites even if you don’t intentionally download anything.
The attack consists of two main components:
- One that utilizes a rootkit designed to exploit a wide selection of vulnerabilities in order to ultimately gain access to the system
- One that’s called into play if the first component fails. This one displays a fake system update notification in order to deceive the user into granting the malware access to the system.
Even if Hummingbad fails to gain system-level access, it is still able to download several malicious apps. These apps display ad banners and force users to click on them. Because the ads actually belong to legit ad networks like Mobvista, Cheetah, the attackers are able to collect their share of the ad revenues from those clicks. It’s believed that the attackers earn about $300,000 per month from this exercise alone.
How Hummingbad can affect your business
The fact that Hummingbad can gain root access and install other malicious apps makes it a serious threat to enterprises. With most everyone bringing smartphones and/or tablets to work, either unofficially or through a BYOD (Bring Your Own Device) program, it’s likely that there is work-related data on their devices.
With the level of access Hummingbad is capable of acquiring, it’s not a stretch to imagine the malware operators – or even copycats – to eventually introduce features for exfiltrating sensitive information stored in the victim’s device. The stolen data can then be sold to fraudsters and identity thieves.
Attackers may also sell access capabilities similar to the way server login credentials were sold at online marketplace xDedic. Other possibilities include putting together all these compromised devices (we’re talking millions) into botnets or using some of them to carry out targeted attacks on people with sensitive positions (e.g. system admins or C-level executives).
Any of these attacks can cause considerable harm to your organization.
While most of the victims are located in Asia, Android users in the United States haven’t been spared completely, with about 286,800 victims in the US.
Upgrading to the latest version mitigates the risk of infection
According to the study, a combined 90% of all infected devices were running on Jelly Bean (40%) and Kitkat (50%). These are old Android versions that were first released in July 2012 and October 2013, respectively. By comparison, only 1% of those infected were running Marshmallow, the latest version.
This underlines the importance of upgrading to the latest version. Upgrades may include security updates designed to patch known vulnerabilities. Such updates are especially critical in devices running the Android OS, where vulnerabilities abound. Early this month alone (July 2016), Google released its largest ever security update for Android. That single update addressed an astounding 108 vulnerabilities.
For more information about this malware and how to avoid getting infected, contact us now.