HummingBad¶
Massive ad fraud rootkit operated by the Chinese advertising company Yingmob. Discovered by Check Point in February 2016, HummingBad infected 10 million devices, installed 50,000+ fraudulent apps per day, displayed 20 million malicious ads daily, and generated $300,000+/month in revenue. Check Point traced the operation to a 25-person team within Yingmob called "Development Team for Overseas Platform."
Overview¶
| Property | Value |
|---|---|
| First Seen | February 2016 |
| Type | Rootkit / Ad fraud |
| Attribution | Yingmob (Chinese advertising company, Chongqing) |
| Aliases | Backdoor.AndroidOS.Hummer (Kaspersky), Shedun/GhostPush (Lookout, disputed) |
Distribution¶
Distributed via third-party app stores and drive-by download attacks from malicious websites. HummingWhale (evolved variant) infiltrated Google Play in 20+ apps.
Capabilities¶
| Capability | Implementation |
|---|---|
| Root exploits | Multiple exploit chains, rooting thousands of devices daily |
| Ad fraud | 20 million malicious ads/day, 12.5% click-through rate via trick-clicks |
| Silent installs | 50,000+ fraudulent apps installed per day after rooting |
| Revenue generation | $300,000+/month in fraudulent ad revenue |
Impact¶
| Metric | Value |
|---|---|
| Infected devices | 10 million |
| Top country | China (1.6M devices) |
| Second | India (1.35M devices) |
| Other affected | Philippines, Indonesia, Turkey |
Evolution¶
HummingWhale (January 2017) was a significantly evolved variant found in 20+ Google Play apps using a com.XXXXXXX.camera naming convention. It ran malicious apps in a virtual machine without installing them on the device, making it stealthier. Yingmob was also linked to the YiSpecter iOS malware.
Naming Controversy¶
Lookout claimed HummingBad is the same family as Shedun/GhostPush/ShiftyBug. Check Point and ElevenPaths argued they are distinct families. The overlap comes from shared rooting techniques and the Yingmob actor group.