HummingBad Infects 85 Million Android Devices

A report by Check Point, a security research firm, details a new type of Android malware dubbed HummingBad, and 85 million devices are already infected.

Affecting both smartphones and tablets, HummingBad steals and sells user information, like email accounts, contacts, banking information everything needed to commit identity theft. The malware also installs apps and clicks on ads.

First discovered in February, HummingBad creators Yingmob, are a well-known group of Chinese computer criminals. It installs a persistent rootkit in Android devices and then goes to work. The same group was also behind a malware-infested app for iPhones called YiSpecter, which was the first piece of iOS malware that infected non-jailbroken iPhones.


The HummingBad group works adjacent to a legitimate ad business. The two groups share resources and generate roughly $300,000 per month. With over 85 million devices under control, the two groups can create a botnet and use the combined computing power to carry out massive attacks against corporations and governments, or even sell usage of the botnet on the black market.

Check Point was able to find detailed information about Yingmob, including its business organization and development projects, including:

  • Eomobi: Malicious components of HummingBad
  • Hummer Offers: Ad server analytics platform
  • Hummer Launcher: An APK ad server

Yingmob is four internal groups totaling 25 members with headquarters at Level 5, Xingdu Plaza, 73 Beiqu Rd., Yuzhong, Chongqing, China.

The analytics service that Yingmob uses is called Umeng. It has control over 200 apps, although most of them are variations of a few core apps. Most of the victims of HummingBad are Chinese and Indian Android users, with 50% of affected users running Android KitKat.

How HummingBad Works

The Check Point team was able to dissect HummingBad, and what they discovered was a sophisticated multi-stage attack system. The first component called SSP tries to gain root access on the infected Android device. If it works, Yingmob gets full, unfettered access to the device. If SSP fails to root the device, it displays a fake update notification, and when the user “updates” their device, HummingBad gets system-level permissions.

Four events trigger SSP: device boot, turning the screen on/off, detecting that a person is currently using the device and any changes in connectivity. When it is triggered SSP starts a service called Se. Se starts up the advertising networks that HummingBad uses – like Mobvista, Cheetah, Apsee or Startapp.

simulate_clickThe second component of HummingBad comes into play when SSP injects a library into the Google Play system process using ptrace. Once injected, the malware can simulate clicks on install/buy/accept buttons within the Google Play store, allowing it to download junk apps.


The third component is called RightCore. RightCore is the rooting component of HummingBad and is responsible for downloading and decrypting various exploits into the system. Unlike a typical root binary which is called su (superuser), the binaries that RightCore uses to root a device are called ipm and ppm, which is theorized to help avoid detection.



The fourth and final component of HummingBad is called CAP. This is the component for installing the majority of fraudulent apps using a variety of sophisticated techniques. Once CAP  launches it decrypts module_encrypt.jar from its resources. Among other things, CAP can send statistics to the server and check for updates. CAP also creates a fake IMEI number to install the same apps twice on the device, so it receives payment for two installations on two separate devices (one real, one fake).

To read the full report by Check Point check out this link [PDF].