HummingBad is the latest high profile mobile malware which targets Android devices. This malware uses multiple strategies to install malware on a device. It can hide as a malicious payload in an application installed via an application store. In addition to store installs, HummingBad is downloaded by mobile devices in silent “drive-by” attacks from infected web sites and Check Point found evidence it was also spread through malicious payloads from adult content sites in Asia (malware can be inserted into media content such as images and videos that results in an exploit when the infected media is loaded and viewed on the mobile device.)
Yingmob, a group of Chinese cyber criminals, is purported to be behind HummingBad. When HummingBad is combined with Yispecter and other Yingmob apps, Check Point contends that Yingmob controls “an arsenal of over 85 million mobile devices around the world.”
Once HummingBad is installed it can do a number of things to the mobile device. Worse, with root access, the HummingBad agent can do anything requested by a malware server controlled by Yingmob.
The motivation for Hummingbad seems to be old school – the intent isn’t to create mischief or harvest information or siphon money from the device owners. Instead, the attackers are using an “army” of infiltrated mobile devices to generate ad-click revenue for themselves. Based upon Check Point’s estimate, they believe Yingmob is able to generate approximately $300,000 per month.
What’s more concerning to enterprises is how HummingBad is “programmable” after the mobile device is infected. It is believed that the infrastructure established by HummingBad presents additional revenue opportunities. Access to compromised devices can be sold to cybercriminals and hacktivists who can remotely control infected devices, exfiltrate sensitive data and perform a variety of other functions without the consent of the end user.
The problem is simply this - physical devices are the target of malicious attacks - and no matter how innovative the white hats are at securing these devices - the black hats are always one step ahead.
Even if the Hummingbad exploit is remediated today - it doesn’t matter - there is going to be another ‘Hummingbad’ every few weeks. And moreover, there’s a notable problem already with the pace at which security updates are pushed to mobile devices.
Hypori moves the battlefield from the physical device which is difficult to control to the well regulated datacentre controlled by the enterprise. Enterprises using Hypori have a number of tools to prevent them from being affected by HummingBad. Specifically, with Hypori the enterprise can defend against exploits like HummingBad by:
Locking Images: Virtual OS images can be configured to not include an app store and not permit users to install applications from unknown sources (side loading). Hypori system images are read-only at the virtualisation layer – Android system applications cannot modify the system image and thus, cannot “root” a Hypori image.
Managing Networks: Unlike consumer networks, enterprises protect their networks with a collection of firewalls and proxy servers to govern access to Internet services. Hypori virtual devices utilise these same networks and policies to access services, therefore virtual devices only need to access the services that are required by installed applications. Moreover, the enterprise can limit the network ingress and egress of the virtual device, effectively eliminating any remote control or data exfiltration.
Managing Access: In the event that malware does manage to somehow infect a Hypori virtual device, the virtual device can be immediately disabled and quarantined. The impacted user can be re-issued a new device in seconds, instead of days.
When considering Hypori, consider this; Are you one of the 85 million? Is access to your mobile device up for sale on the dark web today?
Download the Whitepaper for more on this topic.
Will Scott,CMO, EVP Products, Hypori