On June 29th, Cheetah Mobile Security Research Lab issued warnings against a newly found mobile phone trojan family, which has been dubbed “Hummer.” During the first half of 2016, the Hummer trojan infected nearly 1.4 million devices daily at its peak. In China alone, there were up to 63,000 infections every day. According to collected evidence, this trojan family has something to do with the underground industry chain in China.
Security researchers claim that this trojan family is one of the largest ever, with millions of Android phones infected around the world. Based on Cheetah Mobile’s estimation, if the virus developer were able to make $0.50 (the average cost of getting a new installation) every time the virus installed an application on a smartphone, the group behind this trojan family would be able to make over $500,000 daily.
When a mobile phone is infected with the Hummer trojan, it will root the device to obtain administrator privileges of the system. It will then frequently pop up ads and silently install unnecessary or unwanted applications (even malware) in the background, which consumes a lot of network traffic. Since the Hummer trojan can gain the highest control over the phone system, ordinary anti-virus tools are not able to clear the trojan thoroughly – even performing a factory reset on the device won’t get rid of it.
Cheetah Mobile has updated its anti-virus products, CM Security and Clean Master, to ensure users won’t be affected by Hummer. For those who are already infected with this virus, Cheetah Mobile’s trojan Killer app (available on Google Play for download https://play.google.com/store/apps/details?id=com.cleanmaster.security.stubborntrjkiller) will be able to easily help users remove this Trojan family from their device. Users can also get rid of it by flashing their devices.
Tracing the source of the Hummer trojan family
After analyzing the samples, security researchers from Cheetah Mobile discovered the domain names used to update the trojan. From the beginning of 2016, the group behind the Hummer trojan family started using 12 domain names to update the trojan and issue promotion orders.
Through the Whois history information, researchers found that several of the domains are linked to an e-mail account in mainland China. The researchers believe that this trojan family originated from the underground internet industry chain in China, based on the trojan codes that have been uploaded to an open-source platform by a careless member of the criminal group behind the trojan family.
Hummer is now the #1 trojan across the world
According to data collected by Cheetah Mobile Security Research Lab, between January and June 2016, the average number of Hummer-infected phones is 1,190,000, which is larger than any other mobile phone trojan.
The Hummer trojan is spreading throughout the world. India, Indonesia, Turkey, and China have seen the largest number of infections. Below is the list of the top 25 countries that have been affected by the Hummer trojan family in 2016.
Since India has the most Hummer trojan infections, Cheetah Mobile Security Lab investigated deeper. Among the top 10 trojans affecting most users in India, the second and third are members of the Hummer trojan family, and the sixth is a trojan that’s promoted by Hummer.
The Hummer trojan family members are embedded with a root module, and the latest variant has as many as 18 different root methods. Again, once a phone is infected, the trojan gains root privilege, which makes it very difficult to delete.
This trojan continually pops up ads on victims’ phones, which is extremely annoying. It also pushes mobile phone games and silently installs porn applications in the background. Unwanted apps appear on these devices, and they’re reinstalled shortly after users uninstall them. Cheetah Mobile Security Research Lab made a test with the Hummer trojan, and the findings were astonishing: In several hours, the trojan accessed the network over 10,000 times and downloaded over 200 APKs, consuming 2 GB of network traffic.