Yingmob

Description

(Check Point) Check Point Mobile Threat Prevention has detected a new, unknown mobile malware that targeted two customer Android devices belonging to employees at a large financial services institution. Mobile Threat Prevention identified the threat automatically by detecting exploitation attempts while examining the malware in the MTP emulators.

The infection was remediated after the system notified the devices owners and the system administrators. The infection vector was a drive-by download attack, and the Check Points Threat-Cloud indicates some adult content sites served the malicious payload.

Called HummingBad, this malware establishes a persistent rootkit with the objective to generate fraudulent ad revenue for its perpetrator, similar to the Brain Test app discovered by Check Point earlier this year. In addition, HummingBad installs fraudulent apps to increase the revenue stream for the fraudster.

Names

Name	Name-Giver
Yingmob	real name

Country

• China

Motivation

• Financial gain

First Seen

2016

Observed Countries

• Algeria
• Bangladesh
• Brazil
• China
• Colombia
• Egypt
• India
• Indonesia
• Malaysia
• Mexico
• Nepal
• Pakistan
• Philippines
• Romania
• Russia
• Thailand
• Turkey
• Ukraine
• USA
• Vietnam
• others

Tools

• DroidPlugin
• Eomobi
• HummingBad
• HummingWhale
• Yispecter

Operations

• 2017-01: A Whale of a Tale: HummingBad Returns https://blog.checkpoint.com/2017/01/23/hummingbad-returns/

Information

• https://blog.checkpoint.com/2016/02/04/hummingbad-a-persistent-mobile-chain-attack/
• http://blog.checkpoint.com/wp-content/uploads/2016/07/HummingBad-Research-report_FINAL-62916.pdf

Other Information

Uuid

e97f9ec0-b69d-408b-aa78-049e67d50c93

Last Card Change

2020-04-14