Android Malware Spreads Via Porn Sites

Security researchers have discovered active Android malware that spreads via malicious online advertisements and seeks to take complete control of a targeted device.

The HummingBad malware, which was found on the devices of two employees at a major financial services institution, seems to have infiltrated the Android units via malicous ads displayed on pornographic websites, according to Check Point Mobile Threat Prevention, adding that such malware is also known to spread through major online ad networks.

HummingBad, malware, Android, malvertising, secure-it, security

While HummingBad is relatively harmless for the moment, seeking primarily to drive fraudulent traffic to the Google Play shop in order to boost ad revenues, it remains hidden on the infected system and able to download and install additional components, Check Point said.

“As the malware installs a rootkit on the device, it enables the attacker to cause severe damage if he decides to change his objectives, including installing key-logger, capturing credentials and even bypassing encrypted email containers used by enterprises,” the firm stated in an advisory.

The malware is unusually complex, including two separate attacks that attempt to take over the device – one that does so silently and another that requires user interaction, asking the user to approve the installation of a supposed system software update, Check Point said.

The malware’s malicious components are initially encrypted, making it harder for security software to spot until after the system has been successfully taken over, according to researchers.

Ad fraud

After installation the malware contacts its control servers and tries to download a list of executable files, some of which drive fraudulent traffic to Google Play and others which install fraudulent apps on the system.

“It is interesting to note that all of the command and control servers are still alive and contain dozens of malicious APKs,” Check Point said.

HummingBad is the latest in a series of Android attacks apparently launched by the same group over the past few months, with others including Brain Test, PushGhost and Xinyinhe, according to Check Point.

In September Brain Test was found in applications on Google’s official Play shop, which Google said had been downloaded by up to 1 million users. Google removed similar malware in Play again in January.

Google has frequently been infiltrated by malicious apps, with the Android.Xiny.19.origin Trojan found in more than 60 games earlier this month.

Are you a security pro? Try our quiz!