{
	"id": "8689ba2f-0d42-4316-92a6-4031921c8e6f",
	"created_at": "2026-04-06T01:29:33.590515Z",
	"updated_at": "2026-04-10T03:33:16.892958Z",
	"deleted_at": null,
	"sha1_hash": "a6dc01175886bbae1a9fef662127429bb6d19023",
	"title": "10 million Android phones infected by all-powerful auto-rooting apps",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 444101,
	"plain_text": "10 million Android phones infected by all-powerful auto-rooting\r\napps\r\nBy Dan Goodin\r\nPublished: 2016-07-07 · Archived: 2026-04-06 01:13:24 UTC\r\nSkip to content\r\nBiz \u0026 IT\r\nFirst detected in November, Shedun/HummingBad infections are surging.\r\nhttp://arstechnica.com/security/2016/07/virulent-auto-rooting-malware-takes-control-of-10-million-android-devices/\r\nPage 1 of 7\n\nSecurity experts have documented a disturbing spike in a particularly virulent family of Android malware, with\r\nmore than 10 million handsets infected and more than 286,000 of them in the US.\r\nResearchers from security firm Check Point Software said the malware installs more than 50,000 fraudulent apps\r\neach day, displays 20 million malicious advertisements, and generates more than $300,000 per month in revenue.\r\nThe success is largely the result of the malware’s ability to silently root a large percentage of the phones it infects\r\nby exploiting vulnerabilities that remain unfixed in older versions of Android. The Check Point researchers have\r\ndubbed the malware family “HummingBad,” but researchers from mobile security company Lookout say\r\nHummingBad is in fact Shedun, a family of auto-rooting malware that came to light last November and had\r\nalready infected a large number of devices.\r\nUpdate Jul 11 2016 8:32: On Monday, a Checkpoint representative disputed Lookout’s contention and pointed to\r\nthis blog post from security firm Eleven Paths as support. The blog post said HummingBad “uses a completely\r\ndifferent infrastructure with little in common” with Shedun. In an e-mail, a Lookout representative stood by its\r\nanalysis and said company researchers planned to publish an in-depth response in the coming days.\r\nFor the past five months, Check Point researchers have quietly observed the China-based advertising company\r\nbehind HummingBad in several ways, including by infiltrating the command and control servers it uses. The\r\nresearchers say the malware uses the unusually tight control it gains over infected devices to create windfall\r\nprofits and steadily increase its numbers. HummingBad does this by silently installing promoted apps on infected\r\nphones, defrauding legitimate mobile advertisers, and creating fraudulent statistics inside the official Google Play\r\nStore.\r\n“Accessing these devices and their sensitive data creates a new and steady stream of revenue for cybercriminals,”\r\nCheck Point researchers wrote in a recently published report. “Emboldened by financial and technological\r\nindependence, their skillsets will advance–putting end users, enterprises, and government agencies at risk.”\r\nhttp://arstechnica.com/security/2016/07/virulent-auto-rooting-malware-takes-control-of-10-million-android-devices/\r\nPage 2 of 7\n\nThe report said HummingBad apps are developed by Yingmob, a Chinese mobile ad server company that other\r\nresearchers claim is behind the Yinspector iOS malware. HummingBad sends notifications to Umeng, a tracking\r\nand analytics service attackers use to manage their campaign. Check Point analyzed Yingmob’s Umeng account to\r\ngain further insights into the HummingBad campaign and found that beyond the 10 million devices under the\r\ncontrol of malicious apps, Yingmob has non-malicious apps installed on another 75 million or so devices. The\r\nresearchers wrote:\r\nWhile profit is powerful motivation for any attacker, Yingmob’s apparent self-sufficiency and\r\norganizational structure make it well-positioned to expand into new business ventures, including\r\nproductizing the access to the 85 million Android devices it controls. This alone would attract a whole\r\nnew audience–and a new stream of revenue–for Yingmob. Quick, easy access to sensitive data on\r\nmobile devices connected to enterprises and government agencies around the globe is extremely\r\nattractive to cybercriminals and hacktivists.\r\nDrive-by downloads and multiple rooting exploits\r\nThe malware uses a variety of methods to infect devices. One involves drive-by downloads, possibly on booby-trapped porn sites. The attacks use multiple exploits in an attempt to gain root access on a device. When rooting\r\nfails, a second component delivers a fake system update notification in hopes of tricking users into granting\r\nHummingBad system-level permissions. Whether or not rooting succeeds, HummingBad downloads a large\r\nnumber of apps. In some cases, malicious components are dynamically downloaded onto a device after an infected\r\napp is installed.\r\nFrom there, infected phones display illegitimate ads and install fraudulent apps after certain events, such as\r\nrebooting, the screen turning on or off, a detection that the user is present, or a change in Internet connectivity.\r\nHummingBad also has the ability to inject code into Google Play to tamper with its ratings and statistics. It does\r\nthis by using infected devices to imitate clicks on the install, buy, and accept buttons.\r\nMany of the 10 million infected phones are running old versions of Android and reside in China (1.6 million) and\r\nIndia (1.35 million). Still, US-based infected phones total almost 287,000. The most widely infected major\r\nAndroid versions are KitKat with 50 percent, followed by Jelly Bean with 40 percent. Lollipop has 7 percent, Ice\r\nCream Sandwich has 2 percent, and Marshmallow has 1 percent. It’s often hard for average users to know if their\r\nphones have been rooted, and Shedun apps often wait some period of time before displaying obtrusive ads or\r\ninstalling apps. The best bet for Readers who want to make sure their phone isn’t infected is to scan their phones\r\nusing the free version of the Lookout Security and Antivirus app. Android malware has drastically lower rates of\r\nsuccess when app installations outside of Google Play are barred. Readers should carefully think through the risks\r\nbefore changing this default setting.\r\nhttp://arstechnica.com/security/2016/07/virulent-auto-rooting-malware-takes-control-of-10-million-android-devices/\r\nPage 3 of 7\n\nTop 20 countries targeted by Hummingbad/Shedun.\r\nCredit: Check Point Software\r\nTop 20 countries targeted by Hummingbad/Shedun. Credit: Check Point Software\r\nHummingbad/Shedun infections by Android version.\r\nCredit: Check Point Software\r\nHummingbad/Shedun infections by Android version. Credit: Check Point Software\r\nhttp://arstechnica.com/security/2016/07/virulent-auto-rooting-malware-takes-control-of-10-million-android-devices/\r\nPage 4 of 7\n\nSo far, HummingBad has been observed using its highly privileged status only to engage in click fraud, display\r\npop-up ads, tamper with Google Play, and install additional apps that do more of the same. But there’s little\r\nstopping it from doing much worse. That’s because the malware roots most of the phones it infects, a process that\r\nsubverts key security mechanisms built into Android. Under a model known as sandboxing, most Android apps\r\naren’t permitted to access passwords or other data available to most other apps. System applications with root, by\r\ncontrast, have super-user permissions that allow them to break out of such sandboxes. From there, root-level apps\r\ncan read or modify data and resources that would be off-limits to normal apps.\r\nAs Lookout first reported more than eight months ago, the problem with Shedun/HummingBad and similar\r\nmalicious app families that silently exploit Android rooting vulnerabilities is that the infections can survive normal\r\nfactory resets. Lookout said in its own blog post published Wednesday that its threat detection network has\r\nrecently observed a surge of Shedun attacks, indicating the scourge won’t be going away any time soon.\r\nPost updated to correct revenue amount in the second paragraph, add details about third-party app stores in the\r\nninth paragraph.\r\nDan Goodin is Senior Security Editor at Ars Technica, where he oversees coverage of malware, computer\r\nespionage, botnets, hardware hacking, encryption, and passwords. In his spare time, he enjoys gardening, cooking,\r\nand following the independent music scene. Dan is based in San Francisco. Follow him at here on Mastodon and\r\nhere on Bluesky. Contact him on Signal at DanArs.82.\r\nhttp://arstechnica.com/security/2016/07/virulent-auto-rooting-malware-takes-control-of-10-million-android-devices/\r\nPage 5 of 7\n\n275 Comments\r\nhttp://arstechnica.com/security/2016/07/virulent-auto-rooting-malware-takes-control-of-10-million-android-devices/\r\nPage 6 of 7\n\n1.\r\n2.\r\n3.\r\n4.\r\n5.\r\nSource: http://arstechnica.com/security/2016/07/virulent-auto-rooting-malware-takes-control-of-10-million-android-devices/\r\nhttp://arstechnica.com/security/2016/07/virulent-auto-rooting-malware-takes-control-of-10-million-android-devices/\r\nPage 7 of 7",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"http://arstechnica.com/security/2016/07/virulent-auto-rooting-malware-takes-control-of-10-million-android-devices/"
	],
	"report_names": [
		"virulent-auto-rooting-malware-takes-control-of-10-million-android-devices"
	],
	"threat_actors": [
		{
			"id": "0afff988-cf8a-443b-9e2e-8686e511d0ed",
			"created_at": "2023-01-06T13:46:38.45683Z",
			"updated_at": "2026-04-10T02:00:02.982791Z",
			"deleted_at": null,
			"main_name": "HummingBad",
			"aliases": [],
			"source_name": "MISPGALAXY:HummingBad",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "75108fc1-7f6a-450e-b024-10284f3f62bb",
			"created_at": "2024-11-01T02:00:52.756877Z",
			"updated_at": "2026-04-10T02:00:05.273746Z",
			"deleted_at": null,
			"main_name": "Play",
			"aliases": null,
			"source_name": "MITRE:Play",
			"tools": [
				"Nltest",
				"AdFind",
				"PsExec",
				"Wevtutil",
				"Cobalt Strike",
				"Playcrypt",
				"Mimikatz"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "45577352-1038-44a4-b111-44764d26a4b0",
			"created_at": "2022-10-25T16:07:24.591806Z",
			"updated_at": "2026-04-10T02:00:05.046659Z",
			"deleted_at": null,
			"main_name": "Yingmob",
			"aliases": [],
			"source_name": "ETDA:Yingmob",
			"tools": [
				"DroidPlugin",
				"Eomobi",
				"HummingBad",
				"HummingWhale",
				"Yispecter",
				"ZxxZ"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775438973,
	"ts_updated_at": 1775791996,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/a6dc01175886bbae1a9fef662127429bb6d19023.pdf",
		"text": "https://archive.orkl.eu/a6dc01175886bbae1a9fef662127429bb6d19023.txt",
		"img": "https://archive.orkl.eu/a6dc01175886bbae1a9fef662127429bb6d19023.jpg"
	}
}