Live Active security incident? Get immediate response
MITRE ATT&CK® Malware

S0322: HummingBad

HummingBad is a family of Android malware that generates fraudulent advertising revenue and has the ability to obtain root access on older, vulnerable versions of Android. [1]

MobileS0322MalwareObject v1.1 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

HummingBad matters because it represents mobile malware that can turn infected Android devices into both a fraud platform and a privileged foothold when older, vulnerable Android versions are present. For leaders, the business issue is not only ad fraud; it is whether mobile devices used by the workforce are visible, patched, and governed well enough to prevent or investigate malware that attempts root-level control and generates unwanted outbound traffic.

Executive priority

Prioritize this as a mobile security governance and resilience question: do you know which Android devices are allowed to access business resources, whether they are running older vulnerable versions, and whether the SOC can see suspicious mobile-originated traffic? This behavior is relevant to budget and control decisions around mobile device management, patch/vulnerability management, identity access conditions for mobile devices, and incident response readiness for compromised endpoints.

Technical view

ATT&CK provides no dedicated detection text for HummingBad, so defenders should validate coverage through its documented behaviors and relationships: exploitation for privilege escalation and generating traffic from the victim. SOC and IR teams should confirm whether managed Android devices expose OS version, patch level, app inventory, root/jailbreak status where applicable, network destinations, and unusual outbound web or SMS-like activity. Detection engineering should focus on correlating vulnerable or outdated Android posture with signs of unauthorized privilege escalation and unexplained outbound traffic generation rather than relying on a single malware name.

Likely telemetry

  • Mobile device inventory and enrollment status
  • Android OS version and security patch level
  • Mobile app inventory and installation source where available
  • Root or device integrity signals from mobile management tooling
  • Mobile network, proxy, DNS, or secure web gateway logs tied to device identity

Detection direction

  • Validate whether mobile telemetry is available for both corporate-owned and allowed personal Android devices; unmanaged devices are a likely blind spot.
  • Tune detections for combinations of outdated Android versions, suspicious app presence, root/integrity changes, and unusual outbound traffic rather than only known indicators.
  • Review traffic-generation alerts with false positives in mind, since legitimate mobile apps can create high web traffic; prioritize unexplained patterns tied to risky device posture.
  • Use the relationship to T1404 to drive checks for exploitation-driven privilege escalation indicators on older vulnerable Android versions.
  • Use the relationship to T1643 to drive monitoring for unexpected web traffic or SMS-related activity originating from mobile devices.

Mitigation priorities

  • Maintain an accurate inventory of Android devices that can access enterprise resources.
  • Enforce minimum supported Android versions and security patch expectations before granting access to sensitive services.
  • Use mobile device management or equivalent controls to assess device integrity, app inventory, and compliance state.
  • Apply conditional access or similar identity controls so risky or noncompliant mobile devices have limited access to business systems.
  • Prepare incident response procedures for isolating or unenrolling compromised mobile devices and reviewing associated identity activity.
Analyst notes and limits

The supplied ATT&CK object identifies HummingBad as Android malware associated with fraudulent advertising revenue and the ability to obtain root access on older vulnerable Android versions. The relationship context links it to exploitation for privilege escalation and generation of victim-originated traffic. Because official detection guidance is not provided, this take emphasizes defensible validation themes rather than specific signatures or guaranteed coverage.

Platforms and tactics are not specified on the malware object, and ATT&CK provides no official detection text. Local conclusions require environment-specific evidence such as mobile management coverage, device ownership model, Android version distribution, network logging, and identity access paths. The supplied data does not support claims of current exploitation, attribution, customer exposure, or guaranteed detection.

Official MITRE ATT&CK definition

HummingBad

HummingBad is a family of Android malware that generates fraudulent advertising revenue and has the ability to obtain root access on older, vulnerable versions of Android. [1]

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

2 rows
Domain ID Name Relationship / procedure
Mobile T1404 Exploitation for Privilege Escalation

HummingBad can exploit unfixed vulnerabilities in older Android versions to root victim phones.CitationArsTechnica-HummingBad
Mobile T1643 Generate Traffic from Victim

HummingBad can create fraudulent statistics inside the official Google Play Store, and has generated revenue from installing fraudulent apps and displaying malicious advertisements.CitationArsTechnica-HummingBad
Relationship explorer

All related ATT&CK context

uses · Technique T1404: Exploitation for Privilege Escalation Mobile uses · Technique T1643: Generate Traffic from Victim Mobile
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.1
Created
Modified
Raw hash
851f1d247e4f736e...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.1 Current bundle 851f1d247e4f…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    ArsTechnica-HummingBad

    Dan Goodin. (2016, July 7). 10 million Android phones infected by all-powerful auto-rooting apps. Retrieved January 24, 2017.

    Open source URL
  2. [2]
    mitre-attack S0322
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use