Android malware spread via porn websites to generate fake ad revenue

David bisson
David Bisson


Researchers have spotted a new type of mobile malware that roots Android devices with the purpose of generating fraudulent ad revenue for its operator.

Earlier this month, Andrey Polkovnichenko and Oren Koriat, two members of the Check Point Research Team, wrote in a blog post about how they detected the malware, which they have named “HummingBad,” as part of a drive-by download attack served by porn websites against two customers’ Android devices.

Curious, they decided to dig into the malware and figure out what makes it tick.

Sign up to our free newsletter.
Security news, advice, and tips.

As it turns out, HummingBad is a complex rootkit whose components are encrypted, in an attempt to avoid being flagged by security solutions as malicious.

Hummingbad flow

Under this protective cover, the malware launches a sophisticated chain attack via a silent attack vector that is triggered by common events on an Android device, including booting up, a minute passing on the device’s clock, or the screen being on.

Koriat and Polkovnichenko explain further:

“The malware then checks if the device is rooted or not. If the device is rooted, the malware continues straight to act on its objective. If the device is not rooted, the parent malware XOR decrypts a file from its assets called right_core.apk (every character is XORed against 85). The right_core.apk then decrypts a native library from a file called support.bmp. This native library is used to launch multiple exploits in an attempt to escalate privileges and gain root access.”

If the malware is able to gain root, it will contact one of its command and control (C&C) servers.

If it fails, it resorts to its second, “louder” attack vector, which involves the use of social engineering to worm its way deeper into the device by tricking users into authorizing the installation of a fake “system update” that is in reality a malicious APK. Once installed, the malware decrypts a file containing several exploits that enable it to try and escalate privileges in an attempt to gain root access.

Money-making Android malwareAfter the malware has successfully called home for instructions, its C&C server can download APKs for installation on the device (either via silent install or social engineering), send referrer requests to create Google Play advertisement revenue, and launch different applications.

HummingBad can also engage in more insidious behaviors if its operators so choose:

“As the malware installs a rootkit on the device, it enables the attacker to cause severe damage if he decides to change his objectives, including installing key-logger, capturing credentials and even bypassing encrypted email containers used by enterprises.”

The C&C servers of this malware, which joins the ranks of other Android malware including Ghost Push and Brain Test, are currently still active and contain malicious APKs.

Graham Cluley made a video last September describing how the malicious Brain Test app managed to sneak its way into the official Google Play store, being downloaded by unsuspecting Android users hundreds of thousands of times.

Malware gets into the Google Play Android app store again | Graham Cluley

Drive-by download attacks like those used to spread HummingBad are not confined purely to porn websites, but can affect other sites too.

With that in mind, it is important to maintain an updated mobile anti=virus solution that can protect you while you browse the web on your device. Smartphones and tablets are the new frontier of malicious software.

Ultimately, it’s better to be safe than sorry.

David Bisson is an infosec news junkie and security journalist. He works as Contributing Editor for Graham Cluley Security News and Associate Editor for Tripwire's "The State of Security" blog.

One comment on “Android malware spread via porn websites to generate fake ad revenue”

  1. D Jay Thompson

    Question is: How do you know you have and what can you do to get rid of it?

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.