Incident: Android Malware "HummingBad" Infects Over 10 Million Devices

Published Date: 2016-07-06

Postmortem Analysis
Timeline 1. The software failure incident involving the HummingBad malware happened in May 2016 as mentioned in Article 45822 which was published on 2016-07-06.
System 1. Android operating system 2. Android handsets 3. Google Play Store 4. Third-party Android stores 5. Android versions like Jelly Bean and KitKat [45795, 45822]
Responsible Organization 1. The Chinese advertising company, Yingmob, was responsible for causing the software failure incident by creating the HummingBad malware [45795, 45822].
Impacted Organization 1. Android users worldwide, with estimates of 10 million infected handsets [45795, 45822] 2. Android users in China, India, the US, the UK, and Australia specifically [45822]
Software Causes 1. The software cause of the failure incident was the creation and distribution of the HummingBad malware by a Chinese advertising company, Yingmob, with the main purpose of clickfraud [Article 45795]. 2. The malware exploited vulnerabilities in the Android operating system, gaining root access to devices and allowing attackers to take full control, steal personal information, and generate fraudulent advertising revenue [Article 45795, Article 45822].
Non-software Causes 1. The main cause of the failure incident was the malicious intent of the Chinese advertising company, Yingmob, behind the creation of the HummingBad malware. The malware was designed to generate advertising revenue through click fraud by tricking users into clicking on mobile and web ads [45795]. 2. Users getting infected with the malware primarily occurred due to the installation of apps from third-party Android stores or websites, which were less secure compared to Google Play Store. Visiting dodgy websites that prompted the installation of software containing hidden payloads also contributed to the spread of the malware [45795]. 3. The failure incident was exacerbated by the vulnerability of older versions of Android like Jelly Bean and KitKat to root exploits, making them at higher risk for attacks like HummingBad. Lack of up-to-date security software on devices running these older Android versions also increased the risk of infection [45795]. 4. The global spread of the malware, with a significant number of infected devices in countries like China, India, the US, the UK, and Australia, highlighted the widespread impact of the failure incident beyond a specific region [45822].
Impacts 1. The HummingBad malware infected over 10 million Android devices globally, leading to potential data theft, unauthorized app downloads, and fraudulent advertising revenue generation [45795, 45822]. 2. The malware gained root access to Android devices, allowing attackers full control over the devices, potentially leading to spying on personal information, stealing bank login details, and other malicious activities [45795]. 3. Users infected with the malware may experience unusual advertisements, rapid data depletion, unexpected system update notifications, prompts to install new apps, presence of unknown apps on the device, and faster battery drainage [45795]. 4. The majority of infected handsets were in China and India, indicating vulnerabilities in third-party app stores and websites as potential sources of infection [45795]. 5. The incident highlighted the importance of installing security software on mobile devices, avoiding non-trusted app sources, running threat prevention software, and having backups of data ready [45795].
Preventions 1. Installing security software on Android devices to detect and prevent malware like HummingBad [Article 45795]. 2. Avoiding installing apps from sources other than Google Play to reduce the risk of malware infections [Article 45795]. 3. Keeping Android devices updated with the latest security patches to mitigate vulnerabilities that could be exploited by malware [Article 45822]. 4. Being cautious while browsing and not clicking on suspicious links or visiting dodgy websites that could lead to malware infections [Article 45795]. 5. Running threat prevention software on Android devices to identify and block potential threats [Article 45795]. 6. Having a backup of important data to ensure data recovery in case of a malware attack [Article 45795].
Fixes 1. Installing security software on the phone to detect if a rootkit is present and alert the user [Article 45795]. 2. Removing the malware by resetting the phone and starting from scratch if manually installed a Yingmob app [Article 45795]. 3. Flashing a new ROM on the phone if the malware obtained root access, which may require assistance from the mobile operator [Article 45795]. 4. Being cautious about reinstalling only apps from trusted locations like the legitimate Google Play Market after a factory reset [Article 45795]. 5. Avoiding clicking on suspicious links, using trusted stores and vendors, running threat prevention software, and having a backup of data ready [Article 45795].
References 1. Check Point security firm [Article 45795, Article 45822] 2. Security experts at Blue Coat Systems [Article 45795] 3. Shaun Aimoto, principal software quality assurance engineer at Symantec [Article 45795] 4. Google [Article 45822]

Software Taxonomy of Faults

Category Option Rationale
Recurring one_organization, multiple_organization (a) The software failure incident related to the HummingBad malware has happened again at the same organization. The malware was created by a Chinese advertising company called Yingmob, which is responsible for generating advertising revenue through clickfraud using the malware [45795, 45822]. (b) The software failure incident has also happened at multiple organizations or with their products and services. The HummingBad malware has infected over 10 million Android devices globally, indicating that the incident has affected users across different regions and countries, including China, India, the US, the UK, and Australia [45795, 45822].
Phase (Design/Operation) design, operation (a) The software failure incident related to the design phase: The incident of the HummingBad malware infecting over 10 million Android devices was primarily due to users installing less-than-hygienic apps from third-party Android stores or websites [45795]. This indicates a failure in the design phase where the security measures of the Android operating system may not have been robust enough to prevent users from installing potentially harmful apps from untrusted sources. (b) The software failure incident related to the operation phase: The operation-related failure in this incident is highlighted by the fact that once the malware infected a device, it could force the device to download apps and tap on adverts to generate fraudulent advertising revenue potentially without the user's knowledge [45822]. This shows how the operation of the infected devices was compromised by the malware, leading to unauthorized actions being performed on the devices without the users' consent.
Boundary (Internal/External) within_system, outside_system (a) within_system: The software failure incident related to the HummingBad malware was primarily caused by factors originating from within the system. The malware gained "root access" to Android devices, allowing it to take full control and perform malicious activities such as stealing personal information, generating fraudulent advertising revenue, and downloading unauthorized apps [45795, 45822]. The malware's ability to trick users into granting system-level permissions and its capability to force devices to perform actions without the user's knowledge are all internal aspects of the software failure incident. (b) outside_system: Contributing factors that originated from outside the system include users installing less-than-hygienic apps from third-party Android stores or websites, visiting dodgy websites that prompt the installation of malware-infested software, and potentially traveling from regions where third-party app stores are more popular [45795]. These external factors facilitated the initial infection of Android devices with the HummingBad malware.
Nature (Human/Non-human) non-human_actions, human_actions (a) The software failure incident occurring due to non-human actions: - The HummingBad malware was created by a Chinese advertising company, Yingmob, with the main purpose of generating advertising revenue through click fraud [45795]. - The malware infected over 10 million Android devices globally by tricking users into clicking on mobile and web ads, without direct human involvement in the infection process [45795]. - The malware gained "root access" to Android devices, allowing it to perform various malicious activities, such as spying on personal information and stealing bank login details, without direct human intervention [45795]. - The malware could download additional payloads and invite more malicious software to the infected devices, spreading further without human interaction [45795]. - The malware could force infected devices to download apps and tap on adverts to generate fraudulent advertising revenue potentially without the user's knowledge [45822]. (b) The software failure incident occurring due to human actions: - Users likely got infected by installing apps from third-party Android stores or websites, indicating human actions in the process of introducing the malware to their devices [45795]. - Some users may have visited dodgy websites that prompted them to install software containing the malware, showing human involvement in the initial infection process [45795]. - Check Point did not find any malware-infested apps on Google Play, suggesting that users who installed apps from untrusted sources contributed to the spread of the malware through their actions [45795]. - Users who ignore Android's default settings and allow app installs from third-party sites are at risk of infection, highlighting the role of human actions in making devices vulnerable to malware [45795]. - Google actively blocks installations of infected apps to keep users and their information safe, indicating the importance of human actions in preventing malware infections [45822].
Dimension (Hardware/Software) hardware, software (a) The software failure incident related to hardware: - The software failure incident discussed in the articles is primarily due to malware called HummingBad infecting over 10 million Android devices worldwide [45795, 45822]. This malware gains "root access" to Android devices, allowing it to take full control of the underlying Android system [45795]. The malware can infect devices through drive-by-download attacks when users browse certain websites [45822]. If the malware cannot gain root access, it tricks users into granting almost full control via a fake update notification [45822]. (b) The software failure incident related to software: - The software failure incident is caused by the HummingBad malware, which is a software-based issue [45795, 45822]. The malware is designed to trick users into clicking on mobile and web ads, generating advertising revenue for its parent company [45795]. It can also steal user information, download unauthorized apps, and tap on advertising to generate fraudulent revenue [45822]. The malware's ability to manipulate the device's permissions and control is a software-related flaw that leads to the failure incident.
Objective (Malicious/Non-malicious) malicious (a) The objective of the software failure incident was malicious. The HummingBad malware was created by a Chinese advertising company with the main purpose of generating advertising revenue through click fraud. The malware gained root access to Android devices, allowing the attackers to potentially spy on personal information, steal bank login details, and control the devices for various malicious activities [45795, 45822].
Intent (Poor/Accidental Decisions) poor_decisions (a) The intent of the software failure incident related to poor_decisions: - The software failure incident involving the HummingBad malware was a result of poor decisions made by the creators of the malware. The main purpose of the malware was to generate advertising revenue through clickfraud by tricking users into clicking on mobile and web ads [Article 45795]. - The malware creators could potentially sell the rootkit on the internet's black market, indicating malicious intent beyond just clickfraud [Article 45795]. (b) The intent of the software failure incident related to accidental_decisions: - The software failure incident was not due to accidental decisions but rather deliberate actions taken by the creators of the HummingBad malware to exploit Android devices for financial gain [Article 45795]. - The malware was designed to take full control of Android devices, steal personal information, and generate fraudulent advertising revenue, indicating a deliberate and malicious intent behind the software failure incident [Article 45822].
Capability (Incompetence/Accidental) development_incompetence, accidental (a) The software failure incident related to development incompetence is evident in the HummingBad malware incident. The malware was created by a Chinese advertising company, Yingmob, with the main purpose of generating advertising revenue through click fraud. The malware gained "root access" to Android devices, allowing it to potentially spy on personal information, steal bank login details, and perform various malicious activities [45795]. (b) The software failure incident related to accidental factors is seen in how users could have unknowingly installed the malware on their devices. Many people likely got infected by installing apps from third-party Android stores or websites that contained the malware. Additionally, some users may have visited malicious websites that prompted them to install software with hidden payloads, leading to the spread of the malware [45795].
Duration permanent, temporary (a) The software failure incident related to the HummingBad malware can be considered as a permanent failure. The malware, once installed on an Android device, gains root access to the operating system, allowing it to take full control of the device. This level of access enables the malware to perform various malicious activities, such as stealing personal information, banking details, and engaging in click fraud to generate revenue for the attackers [45795, 45822]. (b) On the other hand, the software failure incident can also be seen as a temporary failure in the sense that users who have been infected with the HummingBad malware can take actions to remove it from their devices. Recommendations include installing security software, resetting the device, changing passwords, and being cautious about app installations from untrusted sources. However, if the malware has gained root access, a factory reset may not be sufficient, and users may need to seek assistance from their mobile operators to flash a new ROM on their devices [45795, 45822].
Behaviour crash, omission, value, byzantine, other (a) crash: The HummingBad malware can take over a smartphone or tablet, potentially leading to a crash or system instability [Article 45822]. (b) omission: The malware can download unauthorized apps and tap on advertising without the user's knowledge, indicating an omission of performing intended functions by the system [Article 45822]. (c) timing: The malware may trick users into granting almost full control via a fake update notification, potentially causing the system to perform its functions at the wrong time [Article 45822]. (d) value: The HummingBad malware can steal and sell user information, including banking details, indicating a failure in performing intended functions correctly [Article 45822]. (e) byzantine: The malware can force devices to download apps and tap on adverts to generate fraudulent advertising revenue without the user's knowledge, showing inconsistent and deceptive behavior [Article 45822]. (f) other: The malware gains "root access" to Android, allowing it to potentially do anything the attacker wants, from spying on personal information to stealing bank login details, showcasing a severe and invasive behavior not covered by the other options [Article 45795].

IoT System Layer

Layer Option Rationale
Perception None None
Communication None None
Application None None

Other Details

Category Option Rationale
Consequence property, theoretical_consequence (a) unknown (b) unknown (c) unknown (d) The software failure incident led to potential harm to people's material goods and data. The HummingBad malware infected over 10 million Android devices worldwide, potentially allowing attackers to steal and sell user information, including banking details, and generate fraudulent advertising revenue without the users' knowledge [45795, 45822]. (e) unknown (f) unknown (g) unknown (h) The potential consequences discussed include the malware being able to gain root access to Android devices, leading to various malicious activities such as spying on personal information, stealing bank login details, and potentially selling access to the infected devices or user information [45795, 45822]. (i) unknown
Domain information (a) The failed system related to the production and distribution of information as it involved a malware incident affecting Android devices worldwide, leading to potential data theft and unauthorized access to personal information [45795, 45822]. (b) Not mentioned in the articles. (c) Not mentioned in the articles. (d) Not mentioned in the articles. (e) Not mentioned in the articles. (f) Not mentioned in the articles. (g) Not mentioned in the articles. (h) Not mentioned in the articles. (i) Not mentioned in the articles. (j) Not mentioned in the articles. (k) Not mentioned in the articles. (l) Not mentioned in the articles. (m) The failed system is related to the technology industry, specifically the mobile operating system sector, as the malware incident targeted Android devices, which are widely used for various purposes including communication, entertainment, and productivity [45795, 45822].

Sources

Back to List