Goldilocks, HummingBad Android malware, and the cost of what if

Goldilocks, HummingBad Android malware, and ‘what if?’

The recent flood of attention devoted to the Chinese HummingBad Android malware focuses on the millions of infected smartphones, but skips over a crucial fact – what does it cost the owner of an infected phone?

“The answer is that it costs users almost nothing – or it might cost them an awful lot. It all really depends on what the malware developers do once they step into an infected device,” said Alexander Bauer, Android malware specialist at Avira.

HummingBad has a lot of commonality with the story of Goldilocks and the Three Bears. After all, what could have happened if Goldilocks wasn’t a sweet little girl innocently tasting porridge and hot chocolate but instead was an intrusive little house thief scooping up Mrs. Bear’s bank account details, stealing the silverware, and spray painting nasty words all over the kitchen.

The Three Bears would not be such a pleasant bedtime tale. Instead, the story would become a cautionary tale over the importance of closing, locking, and double checking that the house door was indeed closed. And this is why Avira has long detected HummingBad and its previous derivatives as malware. The detection rules “ANDROID/Iop.AN.Gen” and “ANDROID/Iop.AR.Gen” for the HummingBad family have been released since December 2015.

“We’ve categorized it as backdoor because once it enters the device, just as Goldilocks entered the house, it can be used for different actions thanks to its automatic rooting capabilities — botnet attacks, run hidden advertisements to create click-fraud revenue, and steal private data,” stated Bauer.

In general, rooting an Android phone means breaking the device’s security mechanisms to get root ‘Administrator’ permission. Some users do this in order to get greater control and customization of their devices. With the ‘automatic rooting’ capability of the HummingBad Android malware, it is done in a concealed way without user notification and interaction.

“This opens the doors to a variety of bad, bad things,” explained Bauer. “But it really depends on the decisions by malware creators.” The loss of privacy, just like for the Three Bears, is the greatest consequence for the end user as the malware can steal sensitive information from the device. In addition, the malware can create botnets from groups of infected devices for targeted attacks.

At the moment, the HummingBad Android malware primarily generates revenue by click fraud, getting users to click on popup advertisements and banner ads they’ve sent to the phones. “The cost of this fraud is primarily covered by advertisers, although it might cause higher internet traffic for users and increase the cpu/ram usage on the device as more services and apps are running,” said Bauer.

HummingBad is estimated to have infected over 10 million devices globally with the majority of these devices in China and Asia. The primary infection vector has been through downloading apps outside of the official Google Play market.  Smartphone users can scan their devices to see if they have been infected with HummingBad with the free Avira Antivirus Security app.

This post is also available in: German

As a PR Consultant and journalist, Frink has covered IT security issues for a number of security software firms, as well as provided reviews and insight on the beer and automotive industries (but usually not at the same time). Otherwise, he’s known for making a great bowl of popcorn and extraordinary messes in a kitchen.