HummingBad Android malware: who did it, why, and is your device infected?

edd56cc4ec61a226689d4259b9968f96.jpeg

Android malware created by a Chinese advertising company has put as many as 85m devices at risk heres everything you need to know about it

When researchers revealed that a Chinese advertising company had created one of the most pernicious pieces of Android malware yet, they estimated it has infected 10m Android handsets worldwide.

Dubbed HummingBad by researchers at the security firm Checkpoint, its a one of the biggest attacks to date on Android the worlds most popular mobile operating system, which runs on more than 80% of all smartphones as well as tablets.

While this attack isnt catastrophic, it opens the door for future attacks that could be, say security experts. Researchers havent been able to say which Android handsets are most susceptible, but say that as many as 85m of the worlds Android devices are vulnerable.

Who did this, and why?

According to a report by Checkpoint, the main purpose of the HummingBad malware is to trick users into clicking on mobile and web ads, which generatesadvertising revenue for its parent company, Yingmob a practice known as clickfraud. Its a lot like the browser toolbars designed to deliver ads to your computer a decade ago, says Dan Wiley, head of incident response for Checkpoint.

But HummingBad is far worse. Because the malware gains root access to Android the very heart of your phones operating system and then calls home to a server controlled by Yingmob, it could be used to do virtually anything the attacker wants it to do, from spying on your personal information to stealing your bank login details.

Even if the creators of the malware only use it for click fraud, they could decide to sell the rootkit on the internets black market, says Wiley. Its an extreme nuisance, with the potential to turn into a really nasty event, he adds.

Its like a burglar who finds a secret passage into your home, sprays graffiti on your walls and eats all the food in the fridge. Later he could come back to ransack your house and steal all your money, or share knowledge of the secret passage with someone who will.

Rooting an Android device is not an inherently evil practice, notes Andrew Brandt, director of threat research for security firm Blue Coat Systems. Many people root their own phones in order to more tightly control the behavior of their mobile devices. But rooting done without the knowledge and consent of the owner of the device is an inherently hostile act.

How did it get so bad?

Most people probably got infected because they installed a less-than-hygienic app from a third-party Android store or website, says Wiley.Checkpoint, he adds, did not find any of the malware-infested apps on Google Play, the primary source of Android apps for most US consumers. Other people may have visited a dodgy web site, which prompted them to install a piece of software containing a hidden payload. And once installed, the malware invited even more of its nasty friends to the party, downloading additional payloads.

The vast majority of the 10m infected handsets reside in China and India, indicating third-party app stores which are far more popular overseas as the most likely sources. But around 250,000 are based in the US, so could be people who are traveling from Asia to the US, or simply people who ignore Androids default settings and allow app installs from third-party sites, Wiley explains.

Are you at risk?

A lot depends on whether you install apps from sources other than Google Play and how old your version of Android is, says Shaun Aimoto, principal software quality assurance engineer at Symantec, which sells Norton Mobile Security for Android handsets.

Older versions of Android like Jelly Bean (4.1 to 4.3) and KitKat (version 4.4.x) are at higher risk for root exploits, says Aimoto. Fortunately most of these exploits are well known and can be prevented by having up-to-date security software installed, he notes.

How do you know if youre infected?

If your phone starts displaying unusual advertisements, or you start running out of data on your mobile plan a lot sooner than usual, then you might be infected. But odds are you wont ever know, says Wiley.

Other telltale signs include receiving unexpected system update notifications, prompts to install a new app, or finding apps on your phone that you didnt put there, and a battery that drains more rapidly than normal, adds Aimoto.

I dont know whether the click-fraud software can detect whether it is communicating over WiFi or a 3G/4G network, adds Brandt, but for those with bandwidth caps on their service, this could eat up a significant amount of your monthly bandwidth just to line the pockets of Yingmob.

What can you do about it?

If you havent already installed security software on your phone, now might be a good time to consider that. Some software (like Checkpoints) can detect if a rootkit is present on the machine and alert you to it after you install, says Wiley.

But if you are infected, you may be forced to reset your phone and start over from scratch.

If youre worried you might have something like this on your phone and you want to be entirely sure that it has been wiped, do a factory reset, then change your Google password from a computer, so that when you use the phone after the reset it will require the new credentials, adds Brandt. After you reconnect to Google and sync your accounts, be very, very careful about reinstalling only apps that come from trusted locations, like the legitimate Google Play Market.

Or, as Wiley says: Dont click on crazy stuff, go only to trusted stores and vendors, run some kind of threat prevention software and have a great backup of your data ready in case you need it.

Read more: https://www.theguardian.com/technology/2016/jul/06/what-is-hummingbad-malware-android-devices-checkpoint