Why Checkpoint’s discovery of HummingBad Malware makes it Google Android Smartphones Hack of 2016

“Yingmob may be the first group to have its high degree of organization and financial self-sufficiency exposed to the public, but it certainly won't be the last”

Israeli based security company Checkpoint commenting on the HummingBad malware affecting some

Not all hummingbirds are Jamaica's National Bird. Some might be Chinese malware.

So says Israeli based security company Checkpoint who claim HummingBad malware has infected some 10 million smartphones since February 2016 as noted in the article “10 million Android devices reportedly infected with Chinese malware”, published July 5, 2016 by Daniel Van Boom, CNET News.

Most of the victims of the attack are in the following counties:

1.      1.6 million in China

2.      1.35 million in India

3.      288,800 devices in the USA

4.      100,000 in UK

5.      100,000 in Australia

Smartphones in Philippines, Indonesia and Turkey as HummingBad mainly targeted smartphones users in this region. But what makes this attack so surprising is that it's a legitimate developer, Yingmob that developed the HummingBad rootkit.

Yingmob is a legitimate and very profitable advertising analytics agency based in Beijing, China to quote CheckPoint:  “Yingmob has several teams developing legitimate tracking and ad platforms. The team responsible for developing the malicious components is the 'Development Team for Overseas Platform' which includes four groups with a total of 25 employees”.

All in all, security analyst Checkpoint estimates that some 85 million smartphones worldwide use their software but only 10 million have the malware.

So how does the HummingBad rootkit work?

Checkpoint’s assessment of HummingBad - Ads and spyware in Google Android smartphones Hack of 2016

HummingBad was originally malware that infected smartphones via persons visiting infected websites.

Once your smartphone was infected, it then self-installed and used its access to generate US$300,000 per month worth of ad revenue by forcing people to click on ads and download app they had no interest to download. It can potentially be used to commandeer your smartphones effectively making your smartphone potentially part of a very large DDOS (Distributed Denial of Service) Botnet attack in the future.

This was made possible by the HummingBad software, basically a rootkit virus, gaining access via silent installation of a fake notification to have the user grant their permission to install it to quote Checkpoints software: “The first component attempts to gain root access on a device with...rootkit [software] that exploits multiple vulnerabilities. If successful, attackers gain full access to a device. If rooting fails, a second component uses a fake system update notification, tricking users into granting HummingBad system-level permissions”.

Aside from ads being forced upon you for monetary gain, there is also the keylogger capturing and reselling of information typed on the phone such as:

1.      Names

2.      Address

3.      Logins and passwords

4.      Telephone numbers from you contacts list

5.      Emails

6.      Social media handles

7.      Credit Card information

This is basically a massive feeding tree of information, most likely collected to be sold on the Dark Web and possibly to legitimate ad networks. Good to note not all of the 85 million infected were Malware; some just collected the information as mentioned above.

It then spreads itself through these vectors, making the HummingBad rootkit possibly one of the most virulent smartphone viruses seen to date since they discovered the Certifi-gate vulnerability back in August 2015 a year ago as noted in my blog article entitled “Check Point Software Technologies discover Certifi-gate – How to Control an Android Lollipop smartphone and Why fragmentation is at fault”.  

The coming of HummingBad fits with the predicted shift towards smartphone hacking and a move away from spamming via email as predicted in my blog article entitled “@symantec's June 2015 Intelligence Report says Spam down 50 percent as Smartphones Hacking Rises”.

But at this rate it's spreading and with no protection other than Google Patches and a factory reset as described in the article “HummingBad malware infects 10m Android devices”, published Wednesday 6 July 2016 by Samuel Gibbs, The UK Guardian, we may potentially be seeing the coming of possibly the greatest Google Android smartphones Hack of 2016!