“HummingBad,” a new Android malware, has infected more than 10 million devices

Mobile Malware
There is a new form of Android malware on the loose, and it is wreaking havoc. According to a detailed report from mobile security firm Check Point, HummingBad, a sophisticated bit of malicious code that emerged in February, has already managed to infect more than 10 million Android devices across the globe.

It is not your everyday, run-of-the-mill malware. HummingBad is the product of what Check Point describes as a group of “highly organized … Chinese cyber criminals that is working alongside multimillion-dollar Beijing analytics company Yingmob. It has serious developer muscle behind it: the HummingBad division, which bears the innocuous title “Development Team for Overseas Platform,” staffs 25 developers split into “four separate groups,” each responsible for maintaining the malware’s individual components. And Yingmob shares resources, including servers and the software certificates necessary to perform app installations, with HummingBad.

HummingBad infects primarily through “drive-by download,” or by installing itself on devices that visit infected webpages and sites. Its code, which is obfuscated by encryption, attempts to install itself on a given device persistently by multiple means.

The first, a “silent operation” that occurs in the background, is triggered every time the device boots up and its screen turns on. Hummingbird then checks to see if the device’s user account is “rooted” — i.e., has administrative privileges that can bypass security checks — and, if it is, it grants itself unfettered access to files and folders. Failing that, the malware attempts to root the device itself by running “multiple exploits” until it finds one that works.

But HummingBad has a Plan B, too: social engineering. The app pops open a window about an imminent “system update, which, in reality, is malicious code. If an unwitting victim permits the bogus “upgrade,” HummingBad connects to a remote server to download and launch additional applications. One nasty possibility? A keylogger that could “capture credentials and even bypass encrypted email containers used by enterprises,” wrote Check Point.

The driving force behind HummingBad’s development is profit, Check Point reported. Yingmob is currently generating $300,000 per month — $4 million per year — in fraudulent ad revenue. But the group, if it chose, could decide to pursue a far more nefarious purpose: the sale of personal data on infected devices.

HummingBad has gained its largest footholds in Asian markets. More than 1.6 million of the infected devices reside in China and another 1.35 million in India. That compares to 288,800 in the US. Collectively, Yingmob’s suite of malware now reaches 85 million phones and tablets and is now autonomously installing more than 50,000 apps a day, according to Checkpoint.

Google has yet to issue guidance regarding the detection and removal of HummingBad. We will update this story if it does.

Mobile

Razer’s Wireless Charger will turn your desk into gamer heaven

The Razer Wireless Charger adds colorful flair to your desk or bedside table. It works with any phone that supports Qi wireless charging -- with some quirks -- but is it worth the high price tag? We take a look.
Android

Popular Android navigation apps are just Google Maps with ads, researcher says

A malware researcher found that 19 free Android navigation apps on the Google Play Store were nothing more than Google Maps, but with ads. One of the apps asked for a payment to remove the ads, while some of them presented security risks.
Mobile

Android vs. iOS: Which smartphone platform is the best?

If you’re trying to choose a new phone and you’re not sure about the merits and pitfalls of the leading smartphone operating systems, then come on in for a detailed breakdown as we pit Android vs. iOS in various categories.
Computing

Data breach compromises 773 million records, 21 million passwords

A security researcher was alerted to a collection of breached data that included more than 773 million compromised records. After digging deeper, the breach was revealed to contain more than 21 million passwords.
Computing

Getting Windows 10 updated doesn't have to be so painful

Windows update not working? It's a more common problem than you might think. Fortunately, there are a few steps you can take to troubleshoot it and in this guide we'll break them down for you step by step.
Computing

What is fixed wireless 5G? Here’s everything you need to know

Here's fixed wireless 5G explained! Learn what you need to know about this effective new wireless technology, when it's available, how much it costs, and more. If you're thinking about 5G, this guide can help!
Emerging Tech

Awesome Tech You Can’t Buy Yet: camera with A.I. director, robot arm assistant

Check out our roundup of the best new crowdfunding projects and product announcements that hit the web this week. You may not be able to buy this stuff yet, but it sure is fun to gawk!
Gaming

Xbox app lets you access your console while away from home. Here's how

Microsoft's Xbox allows you to access your profile information and launch media content directly from your mobile device. Check out our quick guide on how to connect your smartphone to an Xbox One.
Wearables

The best Apple Watch bands and straps to stylize your timepiece

If you have an Apple Watch, you know how easy it is to take off the strap it came with, so why not buy yourself another one? Here, we've gathered the best Apple Watch bands we've seen so far. There's something for everyone.
Mobile

How to choose an iPad in 2019: A practical guide to Apple’s tablets

Selecting an iPad from Apple's lineup can be intimidating, but it doesn't have to be. Our comprehensive guide should put the numbers and specs in practical, easy-to-understand terms. Find your ideal iPad with the help of our guide.
Mobile

Apple resurrects the iPhone SE with brand-new units starting at $249

Apple quietly started selling the iPhone SE again, at even lower prices than when it was discontinued four months ago. Brand new units of the 32GB version are on sale for $249, while the 128GB version is going for $299.
Mobile

Google Maps will now help drivers stay within speed limits, avoid speed traps

Google Maps will now start showing speed limits and speed camera locations, so that drivers will not be flagged for speeding tickets. The new features arrive to the app years after they were introduced in Waze.
Mobile

Text up a storm with the best messaging apps for iOS and Android

These days, most people tend to favor digital messages over phone calls. We have the best messaging apps that allow you to share photos and documents, send text messages, and more with end-to-end encryption.
Mobile

The Cat S48c is the phone designed for construction workers (or the clumsy)

The Cat S48c is a rugged smartphone that's available from Sprint. It mixes midrange specs with a huge battery wrapped in an extremely tough and protective body. If you need a phone that can survive the construction site, then this is it.