Tried-and-true Triada supplants Hummingbad as top mobile malware

And the most prevalent malware family overall is….

David bisson
David Bisson


Hummingbad is no longer the web’s “most wanted mobile malware.” That dubious honor goes to Triada.

Since February 2016, Check Point’s Threat Intelligence Research Team has ranked Hummingbad as the top mobile malware in its Global Threat Impact Index.

It’s understandable why they would. In part distributed by drive-by downloads off of adult websites, the complex Android rootkit helps criminals generate fraudulent ad revenue to fund their enterprises.

Sign up to our free newsletter.
Security news, advice, and tips.

One gang called Yingmob had infected 10 million Android devices with Hummingbad as of July 2016. With that number of compromised devices, a criminal could expect to rake in $300,000 of ad revenue–per month!

Hummingbad flow

But the winds have since changed course.

In its January 2017 report, Check Point named Triada as the chief mobile threat. No doubt they made their decision because of the modular backdoor’s ability to infect the Zygote process, a core Android operating system. A module that enabled the malware to embed its DLL into the processes of four mobile browsers, thereby allowing attackers to intercept users’ web requests and send them to a web page of their choosing, no doubt also played a role.

Zygote en 2 786x1024 768x1001

Even so, Check Point found that mobile malware accounted for only nine percent of attacks on its January index. For that reason, neither Triada nor Hummingbad registered among the top malware threats, when including non-mobile devices. The most popular malware families typically used spam emails, downloaders, and other techniques to make the list.

Check Point’s researchers explain in a blog post:

“Globally, Kelihos was the most active malware family affecting 5% or organizations globally, followed by HackerDefender and Cryptowall in second and third place respectively both impacting 4.5% of companies.”

Top 50 malware 2 768x769

To protect against Kelihos, HackerDefender, Cryptowall, and the rest, users need to be on the lookout for suspicious links and email attachments. Organizations can supplement this effort by blocking users from visiting certain kinds of websites, including adult dating services, while connected to the enterprise network on their mobile devices.

David Bisson is an infosec news junkie and security journalist. He works as Contributing Editor for Graham Cluley Security News and Associate Editor for Tripwire's "The State of Security" blog.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.