{ "id": "9f8f8f3f-4685-4cec-8e9a-6faf1afc4320", "created_at": "2026-04-06T00:19:57.107753Z", "updated_at": "2026-04-10T03:36:13.598742Z", "deleted_at": null, "sha1_hash": "63f33e7ccbff8862744d853f12ca0758366f8ca3", "title": "HummingBad: A Persistent Mobile Chain Attack", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 56411, "plain_text": "HummingBad: A Persistent Mobile Chain Attack\r\nBy bferrite\r\nPublished: 2016-02-04 · Archived: 2026-04-05 16:28:15 UTC\r\nCheck Point Mobile Threat Prevention has detected a new, unknown mobile malware that targeted two customer\r\nAndroid devices belonging to employees at a large financial services institution. Mobile Threat Prevention\r\nidentified the threat automatically by detecting exploitation attempts while examining the malware in the MTP\r\nemulators.\r\nThe infection was remediated after the system notified the devices owners and the system administrators. The\r\ninfection vector was a drive-by download attack, and the Check Points Threat-Cloud indicates some adult content\r\nsites served the malicious payload.\r\nCalled HummingBad, this malware establishes a persistent rootkit with the objective to generate fraudulent ad\r\nrevenue for its perpetrator, similar to the Brain Test app discovered by Check Point earlier this year. In addition,\r\nHummingBad installs fraudulent apps to increase the revenue stream for the fraudster.\r\nOur analysis of the HummingBad malware shows that multiple fraudster groups continue to evolve their methods,\r\nincluding assuring the persistency of the malware once the infection is successful. This campaign is the latest in\r\nseries initiated by various fraudster groups in the last 4 months.\r\nThis epidemic of Android malware includes BrainTest, PushGhost, and Xinyinhe. Moreover, as the malware\r\ninstalls a rootkit on the device, it enables the attacker to cause severe damage if he decides to change his\r\nobjectives, including installing key-logger, capturing credentials and even bypassing encrypted email containers\r\nused by enterprises.\r\nHummingBad: A Complex Malware\r\nHummingBad starts a sophisticated chain attack that’s interesting in a few respects. First of all, the malware’s\r\nmalicious components are all encrypted. This makes it much harder for security solutions to detect that it is\r\nmalware since no malicious code is visible for inspection. Second, the malware initiates a silent attack vector. If\r\nthis fails, the malware will initiate a second attack vector which has the same capabilities as the first one. This is\r\nan interesting course of action for mobile threats because redundancy helps the perpetrator ensure the objective is\r\nmet. Finally, each attack vector consists of several stages, including decrypting and unpacking the actual malicious\r\ncodes.\r\nThe Two Attack Vectors\r\nHummingBad contains within its assets two files, and each generates a separate attack. The first attack vector\r\ngenerates a silent operation triggered by one of three common events on the device:\r\nBOOT_COMPLETED – occurs after booting the device.\r\nhttps://blog.checkpoint.com/2016/02/04/hummingbad-a-persistent-mobile-chain-attack/\r\nPage 1 of 3\n\nTIME_TICK – occurs every time a minute passes.\r\nSCREEN_ON – occurs when the screen is turned on.\r\nThe malware then checks if the device is rooted or not. If the device is rooted, the malware continues straight to\r\nact on its objective. If the device is not rooted, the parent malware XOR decrypts a file from its assets called\r\nright_core.apk (every character is XORed against 85). The right_core.apk then decrypts a native library from a file\r\ncalled support.bmp. This native library is used to launch multiple exploits in an attempt to escalate privileges and\r\ngain root access.\r\nOnce elevated to root, the malware establishes communication with one of its C\u0026C servers. From the server, the\r\nmalware downloads a list of malicious APKs.\r\nThe second attack vector, called qs, is initiated only if the first vector failed to gain root. This attack vector uses\r\nsocial engineering in order to achieve its purpose. The component “qs” is also XOR encrypted and needs to be\r\ndecrypted by the parent malware.\r\nOnce unpacked, the malware pops up a fake user notification regarding a system update. If the user opens the\r\nnotification, he is required to authorize the installation of the “system update” which is actually a malicious APK.\r\nThe malware then hides its own icon and DES decrypts a file called module_encrypted.jar. The\r\nmodule_encrypted.jar component has the same capabilities as right_core, in addition to several new exploits.\r\nAt this stage, the malware will try to connect to its C\u0026C servers for further commands. The server can initiate\r\nseveral actions by the malware:\r\nDownload apks from a URL provided by the server and install it. Depending on if the root access was\r\nsuccessfully established, the application will install the apk silently or show an install dialog containing\r\ntext provided by the server.\r\nSend referrer requests in order to create a Google Play advertisement revenue. To achieve this purpose, the\r\nmalware gets a list of packages and referrer ids from the server and then scans the applications running on\r\na device. Once it has collected this information the malware sends\r\ncom.android.vending.INSTALL_REFERRER intents with the corresponding referrer ID, in order to gain\r\nrevenue.\r\nLaunch applications – the malware will get a list of packages from the server and try to launch them.\r\nSend request to a URL provided by the server. In this case, the malware will get a URL from the\r\nserver and will open a connection with the URL using a given user agent: Mozilla/5.0, Macintosh,\r\nIntel, Mac OS X 10.10, rv:38.0,Gecko/20100101, Firefox/38.0.\r\nIt is interesting to note that all of the C\u0026C servers are still alive and contain dozens of malicious APKs. A few of\r\nthe malicious binaries on the C\u0026C servers have dropper capabilities of their own while others have rooting\r\ncapabilities.\r\nCheck Point Mobile Threat Prevention users are protected from this malware.\r\nFor more information, visit www.checkpoint.com/mobilesecurity.\r\nhttps://blog.checkpoint.com/2016/02/04/hummingbad-a-persistent-mobile-chain-attack/\r\nPage 2 of 3\n\nAppendix – list of C\u0026Cs and malicious URLs\r\nC\u0026C servers:\r\nhxxp://manage.hummerlauncher[.]com\r\nhxxp://cdn.sh-jxzx[.]com/z/u/apk\r\nhxxp://fget.guangbom[.]com\r\nhxxp://d2b7xycc4g1w1e.cloudfront[.]net\r\nhxxp://manage.hummerlauncher[.]com:10010/c/40\r\nhxxp://manage.hummerlauncher[.]com:10010/c/39\r\nhxxp://manage.hummerlauncher[.]com:10010/c/43\r\nhxxp://manage.hummerlauncher[.]com:10010/c/50\r\nhxxp://manage.hummerlauncher[.]com:10010/c/51\r\nhxxp://manage.hummerlauncher[.]com:10010/c/53\r\nhxxp://manage.hummerlauncher[.]com:10010/c/61\r\nhxxp://manage.hummerlauncher[.]com:10010/c/44\r\nhxxp://manage.hummerlauncher[.]com:10010/c/31\r\nhxxp://manage.hummerlauncher[.]com:10010/c/29\r\nhxxp://manage.hummerlauncher[.]com:10010/c/30\r\nhxxp://cdn.sh-jxzx.com/z/u/apk/SN-SDK-5002[.]apk\r\nhxxp://fget.guangbom[.]com:7012/getSSPDownUrl.do?cid=118\r\nhxxp://d2b7xycc4g1w1e.cloudfront[.]net/upload/apk/1435636098822.apk\r\nhxxp://fget.guangbom[.]com:7012/getSSPDownUrl.do?cid=119\r\nSource: https://blog.checkpoint.com/2016/02/04/hummingbad-a-persistent-mobile-chain-attack/\r\nhttps://blog.checkpoint.com/2016/02/04/hummingbad-a-persistent-mobile-chain-attack/\r\nPage 3 of 3", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://blog.checkpoint.com/2016/02/04/hummingbad-a-persistent-mobile-chain-attack/" ], "report_names": [ "hummingbad-a-persistent-mobile-chain-attack" ], "threat_actors": [ { "id": "f8dddd06-da24-4184-9e24-4c22bdd1cbbf", "created_at": "2023-01-06T13:46:38.626906Z", "updated_at": "2026-04-10T02:00:03.043681Z", "deleted_at": null, "main_name": "Tick", "aliases": [ "G0060", "Stalker Taurus", "PLA Unit 61419", "Swirl Typhoon", "Nian", "BRONZE BUTLER", "REDBALDKNIGHT", "STALKER PANDA" ], "source_name": "MISPGALAXY:Tick", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "0afff988-cf8a-443b-9e2e-8686e511d0ed", "created_at": "2023-01-06T13:46:38.45683Z", "updated_at": "2026-04-10T02:00:02.982791Z", "deleted_at": null, "main_name": "HummingBad", "aliases": [], "source_name": "MISPGALAXY:HummingBad", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "54e55585-1025-49d2-9de8-90fc7a631f45", "created_at": "2025-08-07T02:03:24.563488Z", "updated_at": "2026-04-10T02:00:03.715427Z", "deleted_at": null, "main_name": "BRONZE BUTLER", "aliases": [ "CTG-2006 ", "Daserf", "Stalker Panda ", "Swirl Typhoon ", "Tick " ], "source_name": "Secureworks:BRONZE BUTLER", "tools": [ "ABK", "BBK", "Casper", "DGet", "Daserf", "Datper", "Ghostdown", "Gofarer", "MSGet", "Mimikatz", "Netboy", "RarStar", "Screen Capture Tool", "ShadowPad", "ShadowPy", "T-SMB", "down_new", "gsecdump" ], "source_id": "Secureworks", "reports": null }, { "id": "d4e7cd9a-2290-4f89-a645-85b9a46d004b", "created_at": "2022-10-25T16:07:23.419513Z", "updated_at": "2026-04-10T02:00:04.591062Z", "deleted_at": null, "main_name": "Bronze Butler", "aliases": [ "Bronze Butler", "CTG-2006", "G0060", "Operation ENDTRADE", "RedBaldNight", "Stalker Panda", "Stalker Taurus", "Swirl Typhoon", "TEMP.Tick", "Tick" ], "source_name": "ETDA:Bronze Butler", "tools": [ "8.t Dropper", "8.t RTF exploit builder", "8t_dropper", "9002 RAT", "AngryRebel", "Blogspot", "Daserf", "Datper", "Elirks", "Farfli", "Gh0st RAT", "Ghost RAT", "HOMEUNIX", "HidraQ", "HomamDownloader", "Homux", "Hydraq", "Lilith", "Lilith RAT", "McRAT", "MdmBot", "Mimikatz", "Minzen", "Moudour", "Muirim", "Mydoor", "Nioupale", "PCRat", "POISONPLUG.SHADOW", "Roarur", "RoyalRoad", "ShadowPad Winnti", "ShadowWali", "ShadowWalker", "SymonLoader", "WCE", "Wali", "Windows Credential Editor", "Windows Credentials Editor", "XShellGhost", "XXMM", "gsecdump", "rarstar" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434797, "ts_updated_at": 1775792173, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/63f33e7ccbff8862744d853f12ca0758366f8ca3.pdf", "text": "https://archive.orkl.eu/63f33e7ccbff8862744d853f12ca0758366f8ca3.txt", "img": "https://archive.orkl.eu/63f33e7ccbff8862744d853f12ca0758366f8ca3.jpg" } }