Security experts from Chinese security firm Cheetah Mobile say that an Android trojan that appeared in the summer of 2014 has exploded in terms of activity, as they’re seeing millions of new smartphones infected with this threat every day.
While in its early life this virus was barely making a difference, the trojan, named Hummer, has been on a rising trend ever since the summer of 2015, with the number of daily infections growing each month.
At its peak period, in the first months of the year, Hummer was infecting around 1.6 million new users on a daily basis. Even if the numbers have gone down in recent months, the trojan is still infecting one million new devices per day.
Hummer averaged 1.2M new infections per day since the start of 2016
Since the start of 2016, on average, Hummer has achieved 1,187,722 new infections per day, which is almost double its closest competitor, the GhostPush malware, which has a daily infection rate of 691,079 new devices.
Hummer is part of a new class of Android malware that comes equipped with rooting exploits in order to gain administrative privileges on the infected device without needing to beg users for permissions.
Trend Micro detected a similar threat called, which came with rooting exploits that were effective against 90 percent of all Android devices on the market today.
Currently, it appears that crooks are using Hummer as an entry point on infected devices. Once the trojan manages to contaminate and root a device, crooks will push adware and unwanted apps to the user’s phones, as part of affiliate programs.
Cheetah Mobile estimates that if the crooks pushed at least one app to each new device they infect each day, based on the current rate of new infections (1 million) and an average payout of $0.50 per each new app install in affiliate programs, the crooks would be making at least $500,000 per day.
If accurate, this estimation dwarfs anything that ransomware, banking trojans, or malvertisers would be making in a single day, at any time.
Hummer’s creators are from China
Based on the Whois history of the domains used in Hummer’s command and control infrastructure, Cheetah Mobile experts say they found several of these URLs linked to an email address for a person in mainland China.
Additionally, “[t]he researchers believe that this trojan family originated from the underground internet industry chain in China, based on the trojan codes [sic] that have been uploaded to an open-source platform by a careless member of the criminal group behind the trojan family,” the.
Most of the victims affected by Hummer are located in India, Indonesia, Turkey, China, and Mexico.
In India alone, the second and third most popular Android malware families are two different versions of the Hummer trojan, while the sixth is a malware variant that’s forcibly installed by Hummer on infected devices.
To understand how dangerous this trojan can be, Cheetah Mobile carried out a laboratory test. On an infected device, the Hummer trojan made over 10,000 network requests, consumed 2 GB of traffic and installed over 200 unwanted Android apps. All of this in just a few hours.