HummingBad malware infects 10m Android devices

The HummingBad malware is capable of taking over a smartphone or tablet, stealing and selling on user information – from email accounts and contacts to banking information and everything needed for identify theft – as well as downloading unauthorised apps and tapping on advertising, a report by the cyber security firm says.

Check Point said that it has been tracking HummingBad since February and that, after a spike in infections in May, the malware has now passed the 10 million mark globally.

The malware can infect an Android smartphone or tablet if the user browses the wrong site, in so called drive-by-download attacks. HummingBad then attempts to gain access to the underlying Android system by using “root access” to take full control. If it cannot gain root access it then tricks the user into giving almost full control via a fake update notification.

“If successful, attackers gain full access to a device,” said Check Point. “If rooting fails, a second component uses a fake system update notification, tricking users into granting HummingBad system-level permissions.”

Once the malware has control of the device it can use its control of permissions to force it to download apps and tap on adverts to generate fraudulent advertising revenue potentially without the user’s knowledge. The attackers could also sell access to the device or the user’s information, the firm said.

Checkpoint says that HummingBad-infected devices have been detected across the globe with 1.6m devices in China and 1.35m in India topping the list. The US has 288,800 infected devices, while the UK and Australia both have around 100,000 devices with HummingBad operating on them.

Google said: “We’ve long been aware of this evolving family of malware and we’re constantly improving our systems that detect it. We actively block installations of infected apps to keep users and their information safe.”

As smartphones have become more popular malware that targets both Android and iOS has increased in volume and effectiveness. Both platforms made moves to protect devices from these kinds of attack. Due to Apple’s control of both hardware and software, it has had more success in getting users to upgrade to the latest and most secure versions of its iOS, where Android updates can take months, years or never happen at all for devices not directly controlled by Google.

The Android-maker has recently separated security patches from the rest of Android, allowing security updates to be pushed out on a monthly basis for its Nexus and Pixel devices. Other third-party Android manufacturers, including Samsung and LG, pledged to follow Google’s lead with prompt security patches, but many others are slow to release updates to user phones, leaving them exposed.

For those that are impacted by HummingBad, a factory reset might be the only recourse, although even then it could remain if it has gained access to a protected part of the device through root access.