Hummingbad Overtaken as Leading Mobile Malware in January’s Global Threat Impact Index

 Hummingbad has been overtaken as the leading mobile malware for the first time since February 2016, according to the new January Global Threat Impact Index from our Threat Intelligence Research Team.

Hummingbad was replaced at the top of the ‘most wanted mobile malware’ by Triada, a modular backdoor for Android which grants super-user privileges to downloaded malware, as helps it to get embedded into system processes.  In total, mobile malware accounted for 9% of all recognized attacks while the Index ranked Kelihos, a botnet used in bitcoin theft, as the most prevalent malware family overall, with 5% of organizations globally being impacted by it.

Overall the top 10 malware families revealed that hackers were using wide range of attack vectors and tactics to target businesses. This included a range of threats that impacted all steps of the infection chain including spam emails which are spread by botnets and contain downloaders that eventually place a ransomware or a Trojan on the victim’s machine.

Globally, Kelihos was the most active malware family affecting 5% or organizations globally, followed by HackerDefender and Cryptowall in second and third place respectively both impacting 4.5% of companies.


January’s Top 10 ‘Most Wanted’ Malware

  1. Kelihos – Botnet mainly involved in bitcoin theft and spamming. It utilizes peer-to-peer communications, enabling each individual node to act as a Command & Control server
  2. HackerDefender – User-mode Rootkit for Windows, can be used to hide files, processes and registry keys, and also implements a backdoor and port redirector that operates through TCP ports opened by existing services. This means it is not possible to find the hidden backdoor through traditional means.
  3. Cryptowall – Ransomware that started as a Cryptolocker doppelgänger, but eventually surpassed it. After the takedown of Cryptolocker, Cryptowall became one of the most prominent ransomwares to date. Cryptowall is known for its use of AES encryption and for conducting its C&C communications over the Tor anonymous network. It is widely distributed via exploit kits, malvertising and phishing campaigns.
  4. Conficker – Worm that allows remote operations and malware download. The infected machine is controlled by a botnet, which contacts its Command & Control server to receive instructions.
  5. Nemucod – JavaScript or VBScript downloader which is commonly used to download ransomware variants or other malicious payloads.
  6. RookieUA – Info Stealer designed to extract user account information such as logins and passwords and send them to a remote server.
  7. Nivdort – Multipurpose bot, also known as Bayrob, that is used to collect passwords, modify system settings and download additional malware. It is usually spread via spam emails with the recipient address encoded in the binary, thus making each file unique.
  8. Zeus – Banking Trojan that uses man-in-the-browser keystroke logging and form grabbing in order to steal banking information.
  9. Ramnit – Banking Trojan that steals banking credentials, FTP passwords, session cookies and personal data.
  10. Necurs – Botnet used to spread malware by spam emails, mainly Ransomware and Banking Trojans.


Top 3 ‘Most Wanted’ mobile malware

  1. Triada – Modular Backdoor for Android which grants super-user privileges to downloaded malware, as helps it to get embedded into system processes. Triada has also been seen spoofing URLs loaded in the browser.
  2. Hummingbad – Android malware that establishes a persistent rootkit on the device, installs fraudulent applications, and with slight modifications could enable additional malicious activity such as installing a key-logger, stealing credentials and bypassing encrypted email containers used by enterprises.
  3. Hiddad – Android malware which repackages legitimate apps and then released them to a third-party store. Its main function is displaying ads, however it is also able to gain access to key security details built into the OS, allowing an attacker to obtain sensitive user data.


The wide range of threats seen during January utilizes all available tactics in the infection chain to try and gain a foothold on enterprise networks.  To counter this organizations need advanced threat prevention measures on networks, endpoints and mobile devices to stop malware at the pre-infection stage, such as Check Point’s SandBlast™ Zero-Day Protection and Mobile Threat Prevention solutions, to ensure that they are adequately secured against the latest threats.  Stay tuned for the February Global Threat Impact Index.