Hummingbad Overtaken As Leading Mobile Malware In January’s Global Threat Impact Index

By   ISBuzz Team
Writer , Information Security Buzz | Feb 09, 2017 05:00 pm PST

Triada, a modular backdoor for Android, the top of the ‘most wanted mobile malware’

Check Point has revealed that Hummingbad has been overtaken as the leading mobile malware for the first time since February 2016, according to the new January Global Threat Impact Index from our Threat Intelligence Research Team.

Hummingbad was replaced at the top of the ‘most wanted mobile malware’ by Triada, a modular backdoor for Android which grants super-user privileges to downloaded malware, as helps it to get embedded into system processes.  In total, mobile malware accounted for 9% of all recognized attacks while the Index ranked Kelihos, a botnet used in bitcoin theft, as the most prevalent malware family overall, with 5% of organizations globally is impacted by it.

Overall the top 3 malware families revealed that hackers were using a wide range of attack vectors and tactics to target businesses. These threats impact all steps of the infection chain, including spam emails which are spread by botnets, and contain downloaders that place ransomware or a Trojan on the victim’s machine.  Globally, Kelihos was the most active malware family affecting 5% or organizations globally, followed by HackerDefender and Cryptowall in second and third place respectively, with both impacting 4.5% of companies.

The UK was also the 53rd most attacked country globally, higher than the US (100th), Germany (65th) and France (61st).

 January 2017’s Top 3 ‘Most Wanted’ Malware:

  1. Kelihos– Botnet mainly involved in bitcoin theft and spamming. It utilizes peer-to-peer communications, enabling each individual node to act as a Command & Control server.
  2. HackerDefender– User-mode Rootkit for Windows, can be used to hide files, processes and registry keys, and also implements a backdoor and port redirector that operates through TCP ports opened by existing services. This means it is not possible to find the hidden backdoor through traditional means.
  3. Cryptowall– Ransomware that started as a Cryptolocker doppelgänger, but eventually surpassed it. After the takedown of Cryptolocker, Cryptowall became one of the most prominent ransomwares to date. Cryptowall is known for its use of AES encryption and for conducting its C&C communications over the Tor anonymous network. It is widely distributed via exploit kits, malvertising and phishing campaigns.

 Top 3 ‘Most Wanted’ mobile malware:

  1. Triada– Modular Backdoor for Android which grants super-user privileges to downloaded malware, as helps it to get embedded into system processes. Triada has also been seen spoofing URLs loaded in the browser.
  2. Hummingbad– Android malware that establishes a persistent rootkit on the device, installs fraudulent applications, and with slight modifications could enable additional malicious activity such as installing a key-logger, stealing credentials and bypassing encrypted email containers used by enterprises.
  3. Hiddad– Android malware which repackages legitimate apps and then released them to a third-party store. Its main function is displaying ads, however it is also able to gain access to key security details built into the OS, allowing an attacker to obtain sensitive user data.

Nathan Shuchami, Head of Threat Prevention at Check Point commented, “The wide range of threats seen during January, utilizing all the available tactics in the infection chain, demonstrates the size of the task IT teams face in securing their networks against attack.  To defend themselves, organizations need to apply advanced threat prevention measures on their networks, endpoints and mobile devices to stop malware at the pre-infection stage, such as Check Point’s SandBlast™ Zero-Day Protection and Mobile Threat Prevention solutions, to ensure that they are secured against both known and unknown threats.”

The ThreatCloud Map is powered by Check Point’s ThreatCloudTM intelligence, the largest collaborative network to fight cybercrime which delivers threat data and attack trends from a global network of threat sensors.  The ThreatCloud database holds over 250 million addresses analyzed for bot discovery, over 11 million malware signatures and over 5.5 million infected websites, and identifies millions of malware types daily.

From January 2017, Check Point has revised how it indexes the top malware:  it now shows the percentage of organizations worldwide affected by each malware family, to provide a ranking of the most prevalent malware families attacking networks, instead of being based on the number of detections found.  This gives a more accurate overview of the actual impact of threats on organizations during the month.