Google eventually removed the app in May 2015.
HummingBad, or Hummer, comes from a «legitimate» adware company called Yingmob which, for a while, had its «Hummer Launcher» app on Google Play. So, is this HummingBad/Shedun an evolution from the same cybercriminal group we connected in our previous report, or does it come from a different group? Let’s take a look. It maintains Shedun is closely related to the BrainTest/GhostPush family, but it only describes the HummingBad malware as «not new» without any further technical details. They claim HummingBad, or Hummer, is the same as Shedun, discovered in November 2015. Although Cheetah Mobile does not explicitly says so, Hummer is HummingBad, as we can easily confirm with Tacyt because, for example, it uses the same infrastructure and rooting file called right_core.apk, which is sometimes embedded and sometimes downloaded.Ī HummingBad/Hummer sample with some of the singular URLs used
In early July, Check Point researchers attributed HummingBad to a «legitimate» advertising company called Yingmob, responsible as well for the iOS malware called Yispecter that took advantage of its enterprise certificate to install itself and was discovered in late 2015.Īlso in July, Cheetah Mobile wrote about a malware it called Hummer, a new threat different from GhostPush (its own name for Shedun, Kemoge, BrainTest, etc). Some of the infrastructure used as a C&C was hxxp:// domain, hxxp:///z/u/apk, hxxp:// and hxxp://.Īnd it gets worse. It was installed by drive-by-downloads, its content was encrypted, and it used several redundancy methods to ensure infection (including automatic and, if not possible, social engineering). But it was stunningly more sophisticated. It followed the same «rules» established by the Brain Test family, which means it introduces a rootkit on the phone, is almost impossible to remove, and installs fraudulent apps automatically. In February, Check Point alerted the market about HummingBad. Do them belong to the same malware family? It all depends which lab is doing the analysis. Now, it’s happening again: There are numerous reports in the media about HummingBad, Hummer, and Shedun Reloaded.
In a previous report, we tried to connect the dots and concluded that there was a good chance each malware was developed by the same group which evolved its techniques dating back to 2014. Those families were discovered by Cheetah Mobile Security Research Lab, Check Point, Lookout, FireEye, and Trend Micro and variously named NGE MOBI/Xinyinhe, Brain Test, Ghost Push, Shedun or Kemoge. Several months ago there was a media explosion about Android-rooting malware on Google Play.