It has been reported that a new malware with rootkit functionalities named as "HummingBad" is spreading widely. The malware targets the android devices runningwith latest android OS version which includes KitKat, JellyBean, Lollipop, Ice Cream Sandwich and Marshmallow. The malwareuses "drive by download" infection vectorfor propagating itself, arriving on the victim┐s android device/machine as a result of visiting compromised websites.
The malware is capable of performing the following functions:
Establishes a persistent rootkit on android devices
- Install additional fraudulent apps on the infected devices.
- Generates fraudulent revenue by displaying ads, creating clicks, and installing fraudulent apps.
- Capable of gaining access to infected devices and sell access to those phones and information stored in them
- Capable of using the compromised devices as a Launchpad and become part of botnet and could launch further attacks.
- SSP component connects to remote server to receive the link of malicious/fraudulent APK to be installed on the victim's device.
- Capable of injecting its malicious code/library in Google play process.
It has also been reported that the malware is capable of rooting the android devices using a rootkit that exploits multiple vulnerabilities, if unsuccessful, then it uses a tactic of fake system update notifications tricking users into granting system level permissions to HummingBad malware.
Andr/HummBad-A (Sophos), NDROIDOS_IOP.HRXB (TrendMicro), Android.MoPub (Symantec), Trojan:AndroidOS/Kapuser.A (Microsoft), Trojan.AndroidOS.HummingBad (Ikarus), Android.Trojan.HiddenAds.CA (GData), Android/Deng.QVX (AVG)
The repository used by the attacker belongs to a Chinese mobile ad server company named as "Yingmob".
Malware authors makes use of "Umeng, tracking and analytics service" to get notifications about the devices compromised by the malware.
Sample content of the JSON file is mentioned below:
Some of the package name of the malicious/fraudulent apks are:
- Do not click on banners or pop-up or ads notifications.
- Refer to security tips for mobile Phone:
- Do not download and install applications from untrusted sources. Install applications downloaded from reputed application market only.
- Turn on 2-factor authentication for your Google/other account
- Run a full system scan on device with mobile security solution or mobile antivirus solution.
- Check for the permissions required by an application before installing.
- Exercise caution while visiting trusted/untrusted sites for clicking links.
- Install Android updates and patches as and when available from Android device vendors
- Install and maintain updated mobile security/antivirus solution
- Users are advised to use device encryption or encrypting external SD card feature available with most of the android OS
- Users are advised to keep an eye on Data usage (application wise usage also) and unusual increase in mobile bills
- Users are advised to keep an eye on device battery usage (application wise usage also)
- Load Flash content on demand
- Use Android Device Manager to locate, remotely lock, or erase your device
- Avoid using unsecured, unknown Wi-Fi networks. There may be rogue Wi-Fi access points at public places used for distributing malicious applications.
- Make a practice of taking regular backup of android device