Understanding an Android Malware known as HummingBad

The following information was obtained from the different cyber security sources and provided as a notification to all parties concerned pursuant to the mandate of the Philippine National Police  Anti-Cybercrime Group  (PNP ACG).

The information provided is classified as Restricted pursuant to the PNP Regulation 200-012 on document security with impact rating of significant and threat rating of high, based on PNP Information and Communications Technology (ICT) Security Manual s.2010-01 p. 22 and p.129.


HummingBad, an Android malware estimated to have touched over 85 million devices worldwide, was recently found in 46 new applications, 20 of which had even made their way into the official Play Store, passing Google's security checks. In terms of Android malware, HummingBad is the biggest player active today, accounting for 72% of all mobile infections, according to Israeli security firm Check Point.  

According to a report by Check Point, the main purpose of the HummingBad malware is to trick users into clicking on mobile and web ads, which generates advertising revenue for its parent company, Yingmob – a practice known as “clickfraud”. It’s a lot like the browser toolbars designed to deliver ads to your computer a decade ago, says Dan Wiley, head of incident response for Check Point. But HummingBad is far worse. Because the malware gains “root access” to Android – the very heart of your phone’s operating system – and then calls home to a server controlled by Yingmob, it could be used to do virtually anything the attacker wants it to do, from spying on your personal information to stealing your bank login details.

Most people probably got infected because they installed a less-than-hygienic app from a third-party Android store or website, says Wiley. Check Point, he adds, did not find any of the malware-infested apps on Google Play, the primary source of Android apps for most US consumers. Other people may have visited a dodgy web site, which prompted them to install a piece of software containing a hidden payload. And once installed, the malware invited even more of its nasty friends to the party, downloading additional payloads.The vast majority of the 10m infected handsets reside in China and India, indicating third-party app stores – which are far more popular overseas – as the most likely sources. But around 250,000 are based in the US, so could be people who are traveling from Asia to the US, or simply people who ignore Android’s default settings and allow app installs from third-party sites, Wiley explains.2

Are you at risk? A lot depends on whether you install apps from sources other than Google Play and how old your version of Android is, says Shaun Aimoto, principal software quality assurance engineer at Symantec, which sells Norton Mobile Security for Android handsets. Older versions of Android like Jelly Bean (4.1 to 4.3) and KitKat (version 4.4.x) are at higher risk for root exploits, says Aimoto. Fortunately most of these exploits are well known and can be prevented by having up-to-date security software installed, he notes. 2


    The community is advised to follow the best practices listed for securing and protecting information whether for personal use or for work:

•    If you don't know what it is, don't install it;
•    Only install from Google Play or other reputable app stores;
•    Uncheck "Install from unknown sources";
•    Run some kind of threat prevention software; and
•    Have a great backup of your data ready in case you need it.

For additional information, please refer to the following security websites:



    Please contact CSRAD, PNP ACG for any inquiries related to this CYBER SECURITY BULLETIN at and This email address is being protected from spambots. You need JavaScript enabled to view it. or call 7230401 local 5337.