Back in February we told you about Hummingbad. A malware found on Android which gains root access to android phones in order to install other applications and display ads. I’ve seen several news articles speaking about Hummingbad today, more specifically about the company behind it. Why has this suddenly caught the interest of media? Because of the amount of money being made.
The first shocking thing about Hummingbad is that this is a case in which we are not talking about the typical hacker. At least not the typical hacker which we tend to think of when we talk about malware. Hummingbad was created and is maintained by Yingmob. Yingmob is a legitimate Chinese advertising analytics company. Check Point security believes that Hummingbad has infected more than 10 million devices worldwide, with the majority of infected devices residing in China, India, and the Phillipines. Moreover, it is believe that Yingmob has nearly 85 million devices under it’s control via other malware items it controls affecting both Android and iOS devices.
Why would a commercial company be involved in such a trade? For revenue. It is believe that Hummingbad, which primarily generate ad revenue for Yingmob generates $300,000 per month. This figure comes from over 20 million advertisements shown per day with 2.5 clicks per day adding up to $3000 per day. Add to that, Hummingbad installs over 50,000 fraudulent apps per day leading to over $7,500 in revenue per day. It’s quite a lucrative business.
I want to ask a question I haven’t seen asked throughout the various posts I’ve read on Hummingbad today.
What defines malware any more?
Hummingbad is surely something we don’t want on our phones. The fact that it gains root access leaves the user open to more malicious attacks should Yingmob choose. Add to that, the amount of ad activity and app installing it does, surely affects the performance of the phone and uses user’s data allowance. However, this is an actual commercial company in China, offering legitimate services. It is using Hummingbad as a source of revenue. This revenue is being generated through advertising dollars, without user consent.
I look at a few of the western world’s top mobile apps and I see some things that I would also define as malware. Of course, I’m looking at Facebook and Google. Both are offering user’s legitimate services. They also do things which users do not know about, may not approve of if they did know about it, and will use users data allowance without their knowledge. Of course, with these companies, user’s choose to use these apps, and agree to their EULA as they start using it. But who really reads a EULA? Do we believe that all Facebook users understand that private messages in Facebook Messenger are being collected with information being sold to third parties? Do we really believe that all Google users understand that their every online move and app usage is being collected by Google for their own advertising revenue? I don’t believe so.
Obviously, Hummingbad is malware. There is a line between a true commercial app and malware, but that line has been blurred, and it’s just getting more blurred. The real question is; If Yingmob included a EULA upon installation of an app infected by Hummingbad, informing users, of course in extremely general terms, of what Hummingbad would do to their phones, would it still be considered malware?
FYI, for all the Android Priv users out here, Hummingbad works by gaining root access. BlackBerry Android has yet to be rooted.