Tried-and-true Triada supplants Hummingbad as top mobile malware

David Bisson

Traida thumb


Hummingbad is no longer the web’s “most wanted mobile malware.” That dubious honor goes to Triada.

Since February 2016, Check Point’s Threat Intelligence Research Team has ranked Hummingbad as the top mobile malware in its Global Threat Impact Index.

It’s understandable why they would. In part distributed by drive-by downloads off of adult websites, the complex Android rootkit helps criminals generate fraudulent ad revenue to fund their enterprises.

One gang called Yingmob had infected 10 million Android devices with Hummingbad as of July 2016. With that number of compromised devices, a criminal could expect to rake in $300,000 of ad revenue–per month!

Hummingbad flow

But the winds have since changed course.

In its January 2017 report, Check Point named Triada as the chief mobile threat. No doubt they made their decision because of the modular backdoor’s ability to infect the Zygote process, a core Android operating system. A module that enabled the malware to embed its DLL into the processes of four mobile browsers, thereby allowing attackers to intercept users’ web requests and send them to a web page of their choosing, no doubt also played a role.

Zygote en 2 786x1024 768x1001

Even so, Check Point found that mobile malware accounted for only nine percent of attacks on its January index. For that reason, neither Triada nor Hummingbad registered among the top malware threats, when including non-mobile devices. The most popular malware families typically used spam emails, downloaders, and other techniques to make the list.

Check Point’s researchers explain in a blog post:

“Globally, Kelihos was the most active malware family affecting 5% or organizations globally, followed by HackerDefender and Cryptowall in second and third place respectively both impacting 4.5% of companies.”

Top 50 malware 2 768x769

To protect against Kelihos, HackerDefender, Cryptowall, and the rest, users need to be on the lookout for suspicious links and email attachments. Organizations can supplement this effort by blocking users from visiting certain kinds of websites, including adult dating services, while connected to the enterprise network on their mobile devices.

David Bisson David Bisson is an infosec news junkie and security journalist. He works as Contributing Editor for Graham Cluley Security News and Associate Editor for Tripwire's "The State of Security" blog.