HummingBad's chain of attack.

HummingBad's chain of attack.

Hummingbad is mobile malware that has reportedly infected at least 10 million Android devices around the world as of July 2016. The malware is allegedly run by Beijing-based developers and linked to a legitimate advertising analytics agency Yingmod. The group reportedly earns up to $300,000 a month through ad fraud. The malware displays 20 million ads, creates 2.5 million clicks, and installs 50,000 fake apps per day. Of the nearly 200 apps associated with the group, about 25 percent are malicious. According to reports, the US has 286,800 infected devices as of early July.

Originally found to be the result of a drive-by-download from an adult content site, Hummingbad is a piece of malware that targets Android devices. The malware’s malicious components are encrypted, making it difficult for security measures to detect and prevent the malware from being downloaded. The malware attempts to establish a persistent root kit and elevate its’ privileges. If the malware fails to establish a root kit by itself it will prompt the user that a system update is available and ask the user to authorize it. The malware will then download an encrypted file which will allow it to become rooted. Once rooted, the malware can download malicious APKs, send referrer requests to generate ad revenue for the malware distributor, install fraudulent applications to generate revenue, uninstall unwanted apps, and launch apps. Although not as common, the malware can be used to install keyloggers, capture credentials, and bypass encrypted email containers.

As of early 2017, HummingBad was one of the top 10 active malware families and accounted for 72% of all mobile infections. In January 2017, a new variant, dubbed “HummingWhale,” was found in 46 new applications, 20 of which were available in the official Google Play Store. HummingWhale contains a rootkit component, allowing it to forcibly download unwanted apps on infected devices. It works by showing unwanted ads to its victims and when the user moves in to close the ad, the malware opens a virtual machine and installs the advertised app inside it, making it more difficult to detect by security apps. Additionally, HummingWhale is able to post reviews and ratings on the Google Play Store on behalf of the infected device’s user. Google has subsequently removed the infected apps. A list of all app package names containing HummingWhale, spread through the Google Play and other third-party stores, is available here. The majority of infected apps were ones advertised as cameras and phone cleaners.


  • January 2017: New HummingBad variant, HummingWhale, was found in 46 new applications, 20 of which were found in the Google Play Store. (Check Point)
  • July 2016: Hummingbad reportedly infected at least 10 million Android devices worldwide. (CNET)
  • March 2016: HummingBad was reported as sixth most common type of malware attack worldwide. (Check Point)
  • February 2016: Hummingbad was detected on two Android devices belonging to employees at a large financial services institution. (Check Point)

Technical Details:

  • Check Point provides a list of C&Cs and malicious URL’s, along with more technical details here.