Based on Cheetah Mobile’s estimation, if the virus developer were able to make $0.50, the average cost of getting new installation, every time the virus installed an application on a smartphone, the group behind this Hummer Trojan family would be able to make over $500,000 daily.
On June 29th, Cheetah Mobile Security Research Lab issued warnings against a newly found mobile phone Trojan family, which has been dubbed “Hummer.” During the first half of 2016, the Hummer Trojan infected nearly 1.4 million devices daily at its peak. In China alone, there were up to 63,000 infections every day. According to collected evidence, this Trojan family has something to do with the underground industry chain in China, said Cheetah Mobile.
Security researchers claim that this Trojan family is one of the largest ever, with millions of Android phones infected around the world. According to Cheetah Mobile’s estimation, if the virus developer were able to make $0.50 (the average cost of getting new installation) every time the virus installed an application on a smartphone, the group behind this Trojan family would be able to make over $500,000 daily.
Basically, when a mobile phone is infected with the Hummer Trojan, it will root the device to obtain administrator privileges of the system. It will then frequently pop up ads and silently install unnecessary or unwanted applications (even malware) in the background, which consumes a lot of network traffic. Since the Hummer Trojan can gain the highest control over the phone system, ordinary anti-virus tools are not able to clear the Trojan thoroughly – even performing a factory reset on the device won’t get rid of it.
Cheetah Mobile claimed that it had updated its anti-virus products, CM Security and Clean Master, to ensure users won’t be affected by Hummer.
Tracing the source
Cheetah Mobile said that after analysing the samples, they discovered that from the beginning of 2016, the group started using 12 domain names to update the Trojan and issue promotion orders.
Through the Whois history information, researchers found that several of the domains are linked to an e-mail account in mainland China. The researchers believe that this Trojan family originated from the underground internet industry chain in China, based on the Trojan codes that have been uploaded to an open-source platform by a careless member of the criminal group.
Large number of phone infected
Between January and June 2016, the average number of Hummer-infected phones is 1,190,000, which is larger than any other mobile phone Trojan. And, this is now spreading throughout the world. India, Indonesia, Turkey, and China have seen the largest number of infections.
| 1 | India | 154248 |
| 2 | Indonesia | 92889 |
| 3 | Turkey | 63906 |
| 4 | China | 63285 |
| 5 | Mexico | 59192 |
| 6 | The Philippines | 55290 |
| 7 | Russia | 51261 |
| 8 | Malaysia | 38141 |
| 9 | Thailand | 34601 |
| 10 | Vietnam | 29469 |
| 11 | Columbia | 28685 |
| 12 | Ukraine | 26785 |
| 13 | Iran | 26116 |
| 14 | Egypt | 22308 |
| 15 | Romania | 19709 |
| 16 | America | 18787 |
| 17 | Iraq | 15622 |
| 18 | Algeria | 12691 |
| 19 | Bangladesh | 12082 |
| 20 | Pakistan | 11957 |
| 21 | Spain | 11671 |
| 22 | Venezuela | 10574 |
| 23 | Italy | 10124 |
| 24 | Germany | 9447 |
| 25 | Nigeria | 8028 |
Since India has the most Hummer Trojan infections. Among the top 10 Trojans affecting most users in India, the second and third are members of the Hummer Trojan family, and the sixth is a Trojan that’s promoted by Hummer.
| Android.RISKWARE.Hideicon.lv | |
| 2 | Android.MALWARE.at_PermAd.a |
| 3 | Android.MALWARE.at_Fakegupdt.f |
| 4 | Android.Troj.guerrilla.mc |
| 5 | Android.Troj.at_Downloader.q |
| 6 | Android.Troj.Sprovider.a |
| 7 | Android.RISKWARE.SmsSend.ba |
| 8 | Android.Troj.tk_guerrilla.c |
| 9 | Android.Troj.at_CovaDown.d |
| 10 | Android.RISKWARE.at_Parse.a |
The Hummer Trojan family members are embedded with a root module, and the latest variant has as many as 18 different root methods. Again, once a phone is infected, the Trojan gains root privilege, which makes it very difficult to delete.
This Trojan continually pops up ads on victims’ phones, which is extremely annoying. It also pushes mobile phone games and silently installs porn applications in the background. Unwanted apps appear on these devices, and they’re reinstalled shortly after users uninstall them.
Cheetah Mobile Security Research Lab said that they made a test with the Hummer Trojan, and the findings were astonishing: In several hours, the Trojan accessed the network over 10,000 times and downloaded over 200 APKs, consuming 2 GB of network traffic.
