Researchers revealed that a Chinese advertising company had created one of the most pernicious pieces of Android malware yet. They estimated it had infected 10m Android handsets worldwide. Dubbed “HummingBad” by researchers at the security firm Check Point, it’s one of the biggest attacks to date on Android – the world’s most popular mobile operating system, which runs on more than 80% of all smartphones as well as tablets.


HummingBad malware infects 10m Android devices.

While this attack isn’t catastrophic, it opens the door for future attacks that could be, say, security experts. Researchers haven’t been able to say which Android handsets are most susceptible but say that as many as 85m of the world’s Android devices are vulnerable.

Who did this, and why?

According to a report by Check Point, the main purpose of the HummingBad malware is to trick users into clicking on mobile and web ads, which generates advertising revenue for its parent company, Yingmob – a practice known as “click fraud.” It’s a lot like the browser toolbars designed to deliver ads to your computer a decade ago, says Dan Wiley, head of incident response for Check Point.

But HummingBad is far worse. Because the malware gains “root access” the Android – the very heart of your phone’s operating system – and then calls home to a server controlled by Yingmob, it could be used to do virtually anything the attacker wants it to do, from spying on your personal information to stealing your bank login details.

Even if the malware creators only use it for click fraud, they could decide to sell the rootkit on the internet’s black market, says Wiley. “It’s an extreme nuisance, with the potential to turn into a really nasty event,” he adds.

It’s like a burglar who finds a secret passage into your home, sprays graffiti on your walls, and eats all the food in the fridge. Later he could come back to ransack your house and steal all your money or share knowledge of the secret passage with someone who will.

“Rooting an Android device is not an inherently evil practice,” notes Andrew Brandt, director of threat research for security firm Blue Coat Systems. “Many people root their own phones to control the behavior of their mobile devices more tightly. But rooting done without the knowledge and consent of the owner of the device is an inherently hostile act.”

How did it get so bad?

According to Wiley, most people probably got infected because they installed a less-than-hygienic app from a third-party Android store or website. Check Point, he adds, did not find any of the malware-infested apps on Google Play, the primary source of Android apps for most US consumers. Other people may have visited a dodgy website, which prompted them to install a piece of software containing a hidden payload. And once installed, the malware invited even more of its nasty friends to the party, downloading additional payloads.

The vast majority of the 10m infected handsets reside in China and India, indicating third-party app stores – far more popular overseas – as the most likely sources. But around 250,000 are based in the US, so it could be people traveling from Asia to the US or simply people who ignore Android’s default settings and allow app installs from third-party sites, Wiley explains.