There has been a startling rise in a class of Android auto-rooting malware which is believed to affect over a quarter of a million phones in the US and well over a million in each of India and China. The attack has primarily infected older versions of Android (so far) – KitKat, JellyBean and Lolipop primarily.
The malware, known as Shedun or HummingBad, is believed to be produced by Chinese mobile ad-server company Yingmob and primarily installs fraudulent apps and serves malicious ads. Yingmob today generates healthy revenue purely from these services but having root access to millions of Android devices obviously allows them to expand into even more malicious services in support of cyber-criminals, state actors and others.
The malware seems to start, at least in some cases, through drive-by download. You visit a website (porn websites are apparently notorious for this) from which the software installs without you having to accept any download. Once downloaded, the exploit gains root access to the host phone and installs itself as system software.
The exploit is quite sophisticated in its installation and is nearly impossible to remove. Among other things it updates recovery information so that even if you do a recovery on the phone, it will be recovered along with other software. It seems that the only cures to removing this exploit are to either reflash the ROM or buy a new phone. Users are advised to live a virtuous life (stay away from porn sites) and to bar all downloads from outside Google Play; that action alone apparently reduces success rates in general for Android malware.
You can read more HERE.
Share this post via:
Next Generation of Systems Design at Siemens