This modular backdoor malware is now the most common threat to Android smartphones

For the first time in a year, Hummingbad isn't the most prolific form of malware on mobile devices.
Written by Danny Palmer, Senior Writer

There's a new top mobile malware threat in town.

Image: iStock

It's taken a whole year for it to be dislodged, but Hummingbad has finally been overtaken as the leading form of mobile malware.

The Hummingbad Android malware is still likely making its creators hundreds of thousands of dollars a month, and continues to infect millions of devices, but the Triada malware has taken the top spot in the first month of the year, Check Point's Threat Impact Index for January has revealed.

Triada is a modular backdoor for Android which grants the malicious actor super-user privileges on the infected device, allowing them to download additional malware and spoof URLs. It's been the second most prolific malware behind Hummingbad for some time, but now crooks have been able to make it the most prolific form of mobile malicious software.

Hiddad, a form of Android malware which repackages apps then releases them to a third-party store in order to display ads and observe sensitive user data of downloaders, was the third most prolific form of mobile malware in January.

Looking at malware overall, the researchers ranked Kelihos as the most prolific malware of January. Kelihos is a botnet mainly involved in Bitcoin theft and spamming; it uses peer-to-peer communication to enable each individual node to act as command-and-control server. Kelihos is thought to have impacted five percent of all organisations across the globe.

Kelihos is followed by HackerDefender malware and Cryptowall ransomware, which have each affected around 4.5 percent of organisations during January. HackerDefender is a Rootkit for Windows which can be used to hide files processes and registry keys, making the hidden backdoor difficult to find.

Meanwhile, Cryptowall has long been one of the most prominent forms of ransomware, widely distrubuted via exploit kits, malvertising, and phishing. Cryptowall usually ranks behind Locky ransomware, but instances of Locky dropped over Christmas and have yet to return to the level which made it one of the most prolific forms of malware outright.

The 14-year-old Conficker computer worm experienced a spike in activity in early December, and and still hasn't gone away; it ranks as the fourth most prolific form of malware during January. Nemucod, a JavaScript or Visual Basic Script downloader most commonly used to download variants of ransomware and other malicious payloads, was the fifth most prolific form of malware during the month.

The RookieUA information stealer, the Nivdort bot, the Zeus banking Trojan, the Ramnit banking Trojan, and the Necurs botnet round out the list.

"The wide range of threats seen during January, utilizing all the available tactics in the infection chain, demonstrates the size of the task IT teams face in securing their networks against attack," says Nathan Shuchami, head of threat prevention at Check Point.

Read more on cybercrime

Editorial standards