Researchers have spotted a new type of mobile malware that roots Android devices with the purpose of generating fraudulent ad revenue for its operator.
Earlier this month, Andrey Polkovnichenko and Oren Koriat, two members of the Check Point Research Team, wrote in a blog post about how they detected the malware, which they have named “HummingBad,” as part of a drive-by download attack served by porn websites against two customers’ Android devices.
Curious, they decided to dig into the malware and figure out what makes it tick.
As it turns out, HummingBad is a complex rootkit whose components are encrypted, in an attempt to avoid being flagged by security solutions as malicious.
Under this protective cover, the malware launches a sophisticated chain attack via a silent attack vector that is triggered by common events on an Android device, including booting up, a minute passing on the device’s clock, or the screen being on.
Koriat and Polkovnichenko explain further:
“The malware then checks if the device is rooted or not. If the device is rooted, the malware continues straight to act on its objective. If the device is not rooted, the parent malware XOR decrypts a file from its assets called right_core.apk (every character is XORed against 85). The right_core.apk then decrypts a native library from a file called support.bmp. This native library is used to launch multiple exploits in an attempt to escalate privileges and gain root access.”
If the malware is able to gain root, it will contact one of its command and control (C&C) servers.
If it fails, it resorts to its second, “louder” attack vector, which involves the use of social engineering to worm its way deeper into the device by tricking users into authorizing the installation of a fake “system update” that is in reality a malicious APK. Once installed, the malware decrypts a file containing several exploits that enable it to try and escalate privileges in an attempt to gain root access.
After the malware has successfully called home for instructions, its C&C server can download APKs for installation on the device (either via silent install or social engineering), send referrer requests to create Google Play advertisement revenue, and launch different applications.
HummingBad can also engage in more insidious behaviors if its operators so choose:
“As the malware installs a rootkit on the device, it enables the attacker to cause severe damage if he decides to change his objectives, including installing key-logger, capturing credentials and even bypassing encrypted email containers used by enterprises.”
Graham Cluley made a video last September describing how the malicious Brain Test app managed to sneak its way into the official Google Play store, being downloaded by unsuspecting Android users hundreds of thousands of times.
Drive-by download attacks like those used to spread HummingBad are not confined purely to porn websites, but can affect other sites too.
With that in mind, it is important to maintain an updated mobile anti=virus solution that can protect you while you browse the web on your device. Smartphones and tablets are the new frontier of malicious software.
Ultimately, it’s better to be safe than sorry.