HummingBad and Worse: Android Malware to Watch Out For

In the hearts and minds of most consumers, mobile devices have replaced traditional computers. More than two years ago, the number of global mobile users exceeded desktop users, and the disparity has been growing ever since. Today, according to various marketing studies, mobile represents an astounding 65 percent of digital media time.

While this might seem like a gigantic leap forward for technology, it might actually be a significant step backward for safety and security. One study found that more than a third of mobile users do absolutely nothing to secure their devices from attack ― not even a lock screen to thwart physical theft. This is especially alarming considering the growing numbers of malware developed specifically for mobile operating systems.

Android is slightly more susceptible to hacking than iOS for a variety of reasons ― including that Android runs on 80 percent of smartphones and tablets, a sizeable majority of mobile devices ― which means it has some of the most terrifying examples of malicious malware. Here are a few of the most recent (and most distressing) malware found on Android devices around the world.


It might come as a surprise that HummingBad ― which was named not by its creators but by Israeli digital security firm Check Point ― was created not by some underground group of cybercriminals but rather a well-known Chinese advertising agency called Yingmob. The virus’s goal is to trick users into clicking on ads, which generates revenue for the agency. In that sense, it is no worse than those browser toolbars that sunk their hooks into machines more than a decade ago.

Unfortunately, HummingBad goes one step further to deliver ad content. The malware sinks its hooks into the heart of the Android operating system, allowing Yingmob to do almost anything, from send unintended text messages to steal bank login credentials. As yet, Yingmob has only used HummingBad for ads, which appear unexpectedly and drain the battery and bandwidth of devices ― but soon they might sell the toolkit online to someone with more malicious intent.

Currently, about 10 million Android devices are infected with HummingBad, and most of those reside in China and India. However, about 250,000 American devices carry the malware, which is typically accidentally downloaded through third-party app stores with less-than-rigorous vetting procedures. As long as Android users have effective mobile security apps, use only Google Play to acquire apps, and stay current on operating system updates ― since older versions are more susceptible to this type of attack ― they should remain safe.


Though HummingBad might be the most recent Android malware, Stagefright is generally regarded as the worst mobile security exploit in history ― and it might be back for a third time. The bug is perhaps more insidious than other types of mobile malware because of how easily it can enter a phone or tablet. Unlike HummingBad or the vast majority of mobile viruses, Stagefright can insinuate itself onto devices without users’ intervention.

Taking advantage of a weak Android component named Stagefright, cybercriminals send multimedia-laced messages (or encode MP4 videos viewed in webpages or apps) that provide them with permissions to access Android’s root system. From there, attackers can perform the same actions as Yingmob can with HummingBad: steal login information, use the camera and microphone, read contacts, and more.

Rebranded as Metaphor, the new third version of Stagefright is as effective at infiltrating Android devices as ever. Typically, users will receive an odd message that causes their devices to reboot ― at which point Metaphor is already knee-deep into the operating system. The infection requires less than 10 seconds, after which criminals can use contact information to send the virus on.

Nearly one billion devices have the Stagefright vulnerability, but Google asserts that recent security patches will thwart the virus from doing damage. However, until the exploit is closed for good, Android users should take additional security precautions, including downloading security software and monitoring vulnerability to Stagefright.

Ghost Push

Two years is like a century for security experts, whose cyber–arms race typically evolves hour-to-hour. However, the two-year-old Ghost Push Trojan virus remains as dangerous as ever to Android devices. Like HummingBad and other common malware, Ghost Push most often finds its way onto devices through suspicious links and app downloads, but recently, the virus has been located on apps in the Google Play store, meaning it has more opportunities than ever to victimize Android users.

As soon as it finds itself on a device, Ghost Push adds encrypted core codes to the system directory to disguise itself as a built-in app and trick the device (and potential security software) into following its commands. From there, Ghost Push can take command of the device, displaying advertisements, demanding money from users, leading users to inappropriate content, and more.

Every Android upgrade since 6.0 Marshmallow is immune to Ghost Push, but because not every Android user keeps their operating systems up-to-date, at least half of all Android users continue to be threatened by this malware. The best strategy to beat this cyberattack is upgrading to newer Android devices and systems, but there are effective Trojan-killers that will stop Ghost Push at its source.