Check Point Mobile Research Team Looks Back On 2017

February 18, 2018


The mobile world is extremely dynamic and changes rapidly, so it’s always a little hectic to follow its lead. For this reason, we try to stop every once in a while and take a look at what’s happened amidst the constant tracking of this ever changing field.

In this post we will briefly review our findings in 2017 and identify their common traits.

All in all, we discovered malware which reached a spread of between 35.5 and 106 million users, most of whom downloaded the malware directly from 300+ apps on Google Play, Google’s official app store. Here are some of the major cases we encountered this year:

    1. HummingWhale – 2017 began with a storm as we found our arch nemesis, HummingBad, hidden inside apps on Google Play. The malware had given up its rooting capabilities in return for a much more sophisticated ad fraud scheme.
    2. Smishing attack on Czech Post – In this research we discussed Smishing, or SMS phishing, a tactic that attackers use to send SMS messages from supposedly legitimate organizations. These messages aim to persuade users to download a malicious app, to provide private information like bank account or credit card details or to click on a malicious URL.
    3. Preinstalled Malware – 36 Android devices were found containing malware which was pre-installed somewhere in the delivery chain. Some of the malware instances were given system privileges, meaning they couldn’t be removed by the user and the device had to be re-flashed.
    4. Permission Flaw – We spotted a flaw in one of Android’s security mechanisms related to the “SYSTEM_ALERT_WINDOW” permission. Based on Google’s policy which grants extensive permissions to apps installed directly from Google Play, this flaw exposes Android users to several types of attacks including ransomware, banking malware and adware.
    5. Judy – An auto-clicking adware which might be the largest malware infection on Google Play ever, reaching between 8.5 million and 36.5 million downloads.
    6. CopyCat – A brand of mobile malware called CopyCat infected more than 14 million devices around the world, making millions of dollars by taking advantage of outdated devices with fake apps. The mobile malware, dubbed CopyCat, infected 14 million Android devices, rooting approximately 8 million of them.
    7. DU Anti-Virus – We revealed that one of the most prominent free Anti-Virus software for Android devices was in fact abusing the extensive permissions granted to it by the user to enhance the performance of a different app by the same developer, without the users’ consent.

The major trends we witnessed are clear. For one, mobile botnets continue to expand and dominate the mobile malware arena. In 2017, we witnessed a persistent rise in the spread and technical capabilities of mobile adware botnets which managed to infiltrate Google Play with larger campaigns than ever before.

Second, as we have seen in previous years, money is the one of the biggest motivations for malware developers. Pushing the malware “industry” technical capabilities are the rough ad networks, which entail relatively little risk for their perpetrators, while guaranteeing a large revenue stream.

While we can’t know what lies waiting in the mobile arena of 2018, one thing is sure – we will be there to discover and protect against the mobile malware of the future.



  • Check Point Research Publications
  • Global Cyber Attack Reports
  • Threat Research
February 17, 2020

“The Turkish Rat” Evolved Adwind in a Massive Ongoing Phishing Campaign

  • Check Point Research Publications
August 11, 2017

“The Next WannaCry” Vulnerability is Here

  • Check Point Research Publications
January 11, 2018

‘RubyMiner’ Cryptominer Affects 30% of WW Networks