Tried-and-true Triada supplants Hummingbad as top mobile malware

And the most prevalent malware family overall is....


Hummingbad is no longer the web’s “most wanted mobile malware.” That dubious honor goes to Triada.

Since February 2016, Check Point’s Threat Intelligence Research Team has ranked Hummingbad as the top mobile malware in its Global Threat Impact Index.

It’s understandable why they would. In part distributed by drive-by downloads off of adult websites, the complex Android rootkit helps criminals generate fraudulent ad revenue to fund their enterprises.

One gang called Yingmob had infected 10 million Android devices with Hummingbad as of July 2016. With that number of compromised devices, a criminal could expect to rake in $300,000 of ad revenue--per month!

Hummingbad flow

But the winds have since changed course.

In its January 2017 report, Check Point named Triada as the chief mobile threat. No doubt they made their decision because of the modular backdoor’s ability to infect the Zygote process, a core Android operating system. A module that enabled the malware to embed its DLL into the processes of four mobile browsers, thereby allowing attackers to intercept users’ web requests and send them to a web page of their choosing, no doubt also played a role.

Zygote en 2 786x1024 768x1001

Even so, Check Point found that mobile malware accounted for only nine percent of attacks on its January index. For that reason, neither Triada nor Hummingbad registered among the top malware threats, when including non-mobile devices. The most popular malware families typically used spam emails, downloaders, and other techniques to make the list.

Check Point’s researchers explain in a blog post:

Globally, Kelihos was the most active malware family affecting 5% or organizations globally, followed by HackerDefender and Cryptowall in second and third place respectively both impacting 4.5% of companies.”

Top 50 malware 2 768x769

To protect against Kelihos, HackerDefender, Cryptowall, and the rest, users need to be on the lookout for suspicious links and email attachments. Organizations can supplement this effort by blocking users from visiting certain kinds of websites, including adult dating services, while connected to the enterprise network on their mobile devices.

Tags: , , , ,

Share this article:

   Join thousands of others and sign up to our free "GCHQ" newsletter.

Smashing Security podcast
Check out "Smashing Security", the award-winning weekly audio podcast, with Graham Cluley, Carole Theriault, and special guests from the world of information security.

"It's brilliant!" • "Three people having fun in an industry often focused on bad news" • Winner of the Best Security Podcast 2018

Latest episodes:
Listen on Apple Podcasts Listen on Google Podcasts

, , , ,

No comments yet.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.