A dangerous instance of malware, HummingBad, recently affected 85 million devices worldwide. The malware gains administrative control over Android devices, generating fraudulent ad revenues and installing mobile apps without the user’s knowledge.  

Even though it first reared its head in February, the number of HummingBad infections spiked early this summer. HummingBad generates $300,000 in revenue per month through forced downloads and fraudulent ad clicks, gaining enough critical mass to create a botnet, carry out targeted attacks on businesses or government agencies, and even sell the access to other cybercriminals on the black market. It’s important to recognize that any data on these devices is at risk, including enterprise data on devices individuals use for personal and work purposes – in short, Bring Your Own Device (BYOD) enthusiasts.   

Even more disconcerting is that this attack wasn’t perpetuated by faceless hackers in the far corners of the deep web. This came from China-based Yingmob, an otherwise legitimate, multimillion-dollar advertising analytics agency.   

According to research from Check Point, a third party security company, India and China have the most victims – each with over 1 million devices. The United States has the eighth largest number of victims, coming in at nearly 300,000 devices. This is a truly global phenomenon, though, including countries from Brazil and Mexico to Russia and Nepal – and virtually everywhere in between.  

HummingBad began as what is known as a “drive-by download attack”, in which phones were infected when people visited particular websites. The first component attempts to gain access on a device with rootkit software exploiting multiple vulnerabilities. If that’s successful, the hackers gain full access to a device. If that fails, the other avenue is a fake system update notification, tricking users into granting HummingBad system-level permissions.  

Smartphone users concerned their devices may be infected with this malware should first check their downloaded apps and see if there are any they didn’t install themselves. If the user detects anything unfamiliar, the next step would be to reset the device to factory settings. Restarting your phone is not enough to get rid of the malware.  

HummingBad should remind all of us that our reliance on smart devices for day-to-day life, including work, creates opportunities for hackers and malicious organizations to attack us. This isn’t just for Android devices, either. Apple, previously known for being virus and malware-proof, has been hit by multiple attacks, including some from the same group behind HummingBadNo phone is completely safe from malware.  

This leaves information systems security officers in a difficult position. Embracing BYOD is vital to attract and retain talent in many industries today. However, BYOD opens up a whole new world of cybersecurity for which they must account. Don’t forget these officers are also responsible for ensuring their existing IT environments and data are safe from cyberattacks as well.  

It’s time for heads of information security and third-party cybersecurity experts to establish a new way to work together. End points are clearly vulnerable to malware and ransomware threats. Companies need to do what they can to protect themselves, particularly by training their employees. Make sure that each endpoint device is hardened. Alert end users to new software patches to keep up with a constantly evolving enemy. You’re probably already backing up your files, but make sure that you implement even longer retention periods for your backups and encrypt them. End users need to be watched like hawks, not because they are inherently malicious in intent, but because we don’t live in a benevolent world. Heads of information security need to focus on their people. Allow third-party cybersecurity experts to focus on supporting companies with technology and constant vigilance.  

We can help: US Cyber Vault monitors, protects, and secures your company and its data from cyberattacks by combining the industry’s strongest team of cyber intelligence experts and technology. Our flagship Vault product protects your assets with hardened security at every layer, including hardware, applications, and endpoints. Military-grade encryption is applied to all your data and communications by default and the speed of our threat detection is unparalleled: less than 24 hours, not the industry standard of 7 months. If an unplanned event should occur, countermeasures trap the attacker and mitigate damage while our cyber intelligence team responds immediately.    


Written by Rob LaMear, CEO, US Cyber Vault

Once a month we share where we will be speaking in the world as well as expert opinions on cyber security, data loss prevention, and information security that we like from the larger community.  Receive our next issue by signing up here.