Android is under threat from a new security risk known as 'HummingBad'. The malware, which was first identified last year as 'Shedun', is said to have infected 10 million devices within the past few months. Should we be worried? AndroidPIT talked to the experts to ascertain the threat level and learn what preventative measures we can take to defend against it.
What is HummingBad?
HummingBad is a virus which can be automatically downloaded to a device when a person visits certain websites; this is what's known as a drive-by-download attack.
Once inside of your device, the malware is capable of gaining root access to the Android phone. It can then install additional apps, display ads and direct a person to false Play Store information, all with the aim of gaining revenue from malicious ads.
This revenue is said to be worth $300,000 per month for Yingmob – a Beijing-based advertising agency that CheckPoint claims is responsible – and it's all achieved without the user's explicit knowledge of it being on the device.
How big is the HummingBad threat?
Different sources speak of different levels of risk. Check Point, an IT security and software development firm, suggests that ten million devices have been infected and that those who created the virus control "an arsenal of over 85 million mobile devices around the world."
Lookout, a security company focusing on Android and iOS, claims that "Shedun detections spiked over 300 percent in March, and further spiked over 600 percent in the past month [between June and July]."
Of those affected, the Checkpoint report [PDF, 1 MB] claims that 90 percent of the devices are running Android 4.4 KitKat or older, while only one percent of the infected devices are running Android Marshmallow.
Furthermore, the list suggests that around 286,800 devices have been hit in the US, but it's mostly eastern territories featured in the top 20 infected countries.
What do the experts say?
We asked security companies how big the threat really is. In a statement translated from German, Thomas Uhlemann, Security Specialist at ESET, said:
"Though HummingBad is a threat to Android devices, we can not really see a significant increase [in infection rate]." Numbers from the ESET-owned www.virusradar.com (a screenshot of which I've attached below) suggest the same.
Mr Uhlemann added: "A global peak of two to three percent in Yemen or two percent or less in Tajikistan, Afghanistan and Nepal should be of little importance for users in Central Europe."
While Android devices in the US have been targeted more, Mr Uhlemann also said, "Those with current security software, such as the ESET Mobile Security Android app, should be protected from infection since last September."
How do I avoid HummingBad?
To avoid HummingBad, you should always download apps from Google Play, or install from a reputable vendor's website (like the Amazon app from Amazon's website). Similarly, if you see that otherwise paid apps are available from a third-party site for free, you should always avoid them.
Another tip is to avoid visiting pornographic websites. It's no secret that these are often targetted by scammers and fraudsters. Consider doing some research regarding reputable sources of such material before clicking through links willy nilly (pardon the pun) on your handset.
How do I know if I my device has been infected by HummingBad?
The main indicator that you have a malware infection is that your device is exhibiting erratic behavior. For example, it could be showing ads or vibrating unexpectedly, or it could be consuming an unusually high amount of data or battery.
HummingBad, specifically, can install additional apps to your device without your knowledge, promote ads unexpectedly, or highlight mysterious apps for you to install in the Play Store.
Furthermore, if HummingBad fails to achieve root access, it may create a fake notification on your device to try and trick you into granting it admin privileges. Watch out for that.
How do I remove HummingBad if my device gets infected?
ESET's Mr Uhlemann said that if you have been infected by HummingBad, it's already too late to save your device. The threat infects devices by gaining root privileges, and the only way to circumvent this would be to flash new firmware or install a custom ROM. However, this is not a foolproof solution, as the software may have copied itself to another partition.
If you own a modern device and have been using it responsibly, you shouldn't worry too much HummingBad. Check out our guide to smartphone scams and how to avoid them for more details.
Is HummingBad a concern for you? Do you need any further information? Let me know in the comments or ask me on Twitter @scottadamgordon.
With contributions from Eric Herrmann of AndroidPIT.de.