Skip to main content

“HummingBad,” a new Android malware, has infected more than 10 million devices

There is a new form of Android malware on the loose, and it is wreaking havoc. According to a detailed report from mobile security firm Check Point, HummingBad, a sophisticated bit of malicious code that emerged in February, has already managed to infect more than 10 million Android devices across the globe.

It is not your everyday, run-of-the-mill malware. HummingBad is the product of what Check Point describes as a group of “highly organized … Chinese cyber criminals that is working alongside multimillion-dollar Beijing analytics company Yingmob. It has serious developer muscle behind it: the HummingBad division, which bears the innocuous title “Development Team for Overseas Platform,” staffs 25 developers split into “four separate groups,” each responsible for maintaining the malware’s individual components. And Yingmob shares resources, including servers and the software certificates necessary to perform app installations, with HummingBad.

Recommended Videos

HummingBad infects primarily through “drive-by download,” or by installing itself on devices that visit infected webpages and sites. Its code, which is obfuscated by encryption, attempts to install itself on a given device persistently by multiple means.

The first, a “silent operation” that occurs in the background, is triggered every time the device boots up and its screen turns on. Hummingbird then checks to see if the device’s user account is “rooted” — i.e., has administrative privileges that can bypass security checks — and, if it is, it grants itself unfettered access to files and folders. Failing that, the malware attempts to root the device itself by running “multiple exploits” until it finds one that works.

But HummingBad has a Plan B, too: social engineering. The app pops open a window about an imminent “system update, which, in reality, is malicious code. If an unwitting victim permits the bogus “upgrade,” HummingBad connects to a remote server to download and launch additional applications. One nasty possibility? A keylogger that could “capture credentials and even bypass encrypted email containers used by enterprises,” wrote Check Point.

The driving force behind HummingBad’s development is profit, Check Point reported. Yingmob is currently generating $300,000 per month — $4 million per year — in fraudulent ad revenue. But the group, if it chose, could decide to pursue a far more nefarious purpose: the sale of personal data on infected devices.

HummingBad has gained its largest footholds in Asian markets. More than 1.6 million of the infected devices reside in China and another 1.35 million in India. That compares to 288,800 in the US. Collectively, Yingmob’s suite of malware now reaches 85 million phones and tablets and is now autonomously installing more than 50,000 apps a day, according to Checkpoint.

Google has yet to issue guidance regarding the detection and removal of HummingBad. We will update this story if it does.

Kyle Wiggers
Kyle Wiggers is a writer, Web designer, and podcaster with an acute interest in all things tech. When not reviewing gadgets…
Baseus power banks are the best way to charge your phone after these discounts
A woman holding a phone with a Baseus Am41 Magnetic Power Bank attached to it.

One of the worst things about being a doomscroller isn't the information you're getting, it's the fear that your battery will die and the scrolling will have to end. This is especially true if you're stuck without power, waiting for the doctor or dentist to finally call your name, or have any other sort of emergency. But, Baseus has you covered with their excellent selection of on-the-go power banks made for your iPhone. Since they're small and fit directly to your phone's magnet charging area, you can think of them more as battery extenders than anything. Plus, if your phone's internal battery is starting to have battery trouble, a Baseus charger is a great way to avoid an annoying battery change session. The best news, however, is that they're all on sale. Here's what you can expect to see coming up:

Baseus Am31 Mini Power Bank — Was $70, Now $50

Read more
Nothing Phone 3: A unique phone that’s not a true flagship
The Nothing Phone 3 in white

As smartphones have become extremely homogenous, companies must find unique ways to stand out from the crowd. For London-based Nothing, this has meant a singular company focus on blending smartphone features with unique designs that allow their phones to stand out in a sea of sameness.

The Nothing Phone 3 is the latest addition to a line of Nothing phones that are unique and polarizing in their design. Earlier this year, Nothing launched the Phone 3a Pro with a unique camera array, and the Phone 3 builds on this while also evolving the Nothing design language.

Read more
Plaud Note, the professional-tier AI notetaker, is 20% off for Prime Day
Four colleagues have a conversation around a Plaud Note AI notetaker.

Lately, as I've been working through stressful hospital visits with family, I've encountered something I haven't in quite awhile. As I hear doctors, nurses, and family say things, I'll be completely unable to remember them moments later. There's just too much going on all at once. Early in my career I encountered the same issue. There were just so many new facets of what I was doing entering my head all at once, from many sources, that it was impossible to keep track of it all. If only there were AI notetaking tools that have helped me through this. AI notetaking tools like Plaud Note and Plaud NotePin, which are both 20% off for Prime Day (from $159 to $127 for either device, saving you $32) and available by tapping the button below.

PLAUD Note Voice Recorder

Read more