Skip to main content

Breaking HummingBad

‘HummingBad’ (also known as Hummingbird) is a piece of malware that has infected over 10 million Android phones worldwide. The largest share of the infections are in China with 1.6 million infections while the U.S. is seeing a still sizable number of around 280,000 infected devices.

HummingBad is currently being used as part of a very organised cybercrime organisation to generate revenue through online advertising fraud. According to some reports, they are pulling in around $300,000 (£210,000) a month by this method alone, and that’s just part of what HummingBad can do.

Click fraud

A common method for cybercriminals to pull in money is through online advertising fraud, often referred to as ‘click fraud.’ Online advertisers pay websites and mobile apps money for each time someone clicks on one of their ads. Ad clicking malware runs in the background of your device, sending traffic to the advertisers to make it appear as if you are actively clicking on their ads. In an operation like this, where you have millions of infected devices, the click revenue grows to a rather substantial sum!

Another, maybe more insidious, use of this type of malware comes when click fraud is applied to app stores. There have been cases of malicious apps of the same vein as HummingBad downloading at rating apps on the app store without the user’s knowledge. Everything operates in the background thanks to its root level permissions. This activity can be used to generate fraudulent advertising revenue, but can also be used to download other malicious software and give it a high rating on the app store. This increases the chances of a malicious app reaching even more targets.

Down to the roots

Click fraud is just the tip of the iceberg. HummingBad operates with root level privileges, giving it full control of devices it has infected. It first attempts to gain root by exploiting several vulnerabilities in the Android operating system and if that doesn’t work, it tricks the user with a fake system update notification. To reiterate, many installations of HummingBad required no exploit to actually take place, the users themselves unknowingly granted HummingBad the permissions it needed.

Once a piece of malware like HummingBad has root level permissions, it effectively becomes a tool for the cybercriminal to use at their leisure. Often this can lead to an infected device becoming part of bot-net that is then used for other malicious activities such as sending spam, launching DDoS (Distributed Denial of Service) attacks or spreading other malware. In fact, an entire cottage industry has grown around renting out botnets to other cybercriminals to use. It’s cybercrime as a service!

Part of a much larger problem

HummingBad is indicative of a much larger problem we are facing. As more and more people do the majority of their web surfing on mobile devices, malware writers continue to turn their attention toward the Android platform. Since Q1 of 2015, we have seen a 137% increase in mobile malware.

This increase in malware is consistently targeting the Android operating system for a number of reasons. Whereas iOS has taken a ‘walled garden’ approach when it comes to app distribution, Android users can download apps from any number of sources. This allows for a very wide app ecosystem, giving the user the ability to download apps from not only large marketplaces like Google Play and Amazon, but also from smaller independent app stores or websites. Unfortunately, this creates something of a ‘Wild West’ scenario, with very little policing being done on these third-party app stores. While the major app stores do have some infected apps slip through the cracks now and then, the majority of the malicious apps found by McAfee Labs come from other sources.

How do I stay safe?

Avoid third party app stores

As mentioned earlier, the majority of infected apps come from this source. Sticking to major app stores like Google Play or Amazon can dramatically reduce your exposure to malware.


Malware writers target bugs in the operating system and applications to infect a device. One of the best ways to avoid infection is to keep your system up to date. Turn on automatic updates to help ease the process.

Pay attention

As with HummingBad, a lot of malware can be installed by simply tricking the user into giving it the permissions it wants during the installation process. Does the game you’re installing need permissions to send SMS? Why is it asking for access to your contacts? I know most people simply tap OK to every pop up during installation, but this can quickly come back to haunt you. Don’t be afraid to tell an app ‘no'.

Install security software

Given the meteoric rise in mobile malware, installing anti-malware software on your devices can dramatically improve your protection against malicious apps.

Backup regularly

HummingBad, like many types of malware, can be very difficult to completely remove for your device once it’s been installed. In many cases the only way to guarantee a clean device is to do a factory reset and restore from a backup. This can be a much easier pill to swallow if you have a recent backup.

While HummingBad itself is not unique, it is a very good example of what the average consumer is facing today. Cybercriminals are becoming much more organised and, as a result, are able to generate enough revenue from malware like HummingBad to continue their efforts. Criminals go where the money is and unfortunately mobile is where they are finding more opportunity for profit.

Bruce Snell, Cybersecurity and Privacy Director at Intel Security

Image source: Shutterstock/Maksim Kabakou