Live, interactive cybersecurity training available through SANS Live Online. View upcoming events.


To attend this webcast, login to your SANS Account or create your Account.

This webcast has been archived. To view the webcast login into your SANS Portal Account or create an account by clicking the "Get Registered" button on the right. Once you register, you can download the presentation slides below.

Hummingbad: Tools & Techniques To Use When Inspecting Android Applications

  • Friday, December 09, 2016 at 1:00 PM EST (2016-12-09 18:00:00 UTC)
  • Chris Crowley, Cindy Murphy

You can now attend the webcast using your mobile device!



This presentation explores methodology for performing malware analysis. We use the specific case of the Hummingbad family of malware since it is a substantial collection of variants, has substantial functionality, and represents the ongoing trend of organized, revenue producing malware that is also used to steal information. Android malware is substantially more common that iOS malware.

Android users can choose to disable the Unknown sources Allow installation of apps from unknown sources and install applications from anywhere. Malware uses social engineering tricks to dupe victims into installing the malware. These tricks include: appearing to be a different application; sending text messages from a compromised phone to another person compelling him to install the application for some reason; threats of an infected phone, and suggestion to install anti-virus software which is actually malware. Incidentally, Hummingbads creators are attributed as also creating an iOS malware called YiSpecter.

The Hummingbad family of malware had hundreds of variants discovered. Estimates of infected phones is in the millions and monthly fraudulent ad revenue is about $300,000 USD. The malicious behavior included: persistent root, installation of ad revenue producing apps, and key logger collection of credentials to steal information within protected containers. Its spreading vectors includes drive by downloads, and fraudulent applications purporting to be pornography. It also tries to trick users into installing software, claiming to be an update, in order to root the phone.

In this webcast, Cindy Murphy and Christopher Crowley will show tools and techniques you can use to inspect Android applications to determine if they exhibit malicious behavior, using the Hummingbad family of malware as example specimens. This methodology can be employed as forensic analysis and can also be used in application assessments to determine if an application is suitable for use within an organization.

FOR585 Advanced Smartphone Forensics Course Instructor: Cindy Murphy
SEC575 Mobile Device Security and Ethical Hacking Instructor: Chris Crowley
For more information or to register visit:

The topic cover in this webcast is just a sample of the many important subjects covered in both FOR585 Advanced Smartphone Forensics and SEC575 Mobile Device Security and Ethical Hacking. To learn more about these courses or to find training near you, visit or

Speaker Bios

Cindy Murphy

Cindy Murphy, is co-owner, president and lead investigator at Gillware Digital Forensics. Cindy Murphy served in law enforcement for more than 30 years, including 24 years as a detective with the Madison Police Department in Wisconsin. During 17 of those years she worked as a certified digital forensics examiner. She is a SANS certified instructor and co-author of the SANS FOR585 Advanced Smartphone Forensics course. She earned her MSc in Forensic Computing and Cyber Crime Investigation through University College in Dublin. Cindy is also a veteran, a mother, a musician, a protester for first amendment rights, a Brittany Spaniel enthusiast, and an expert knot tier.

"Good, real-world experience. Clearly, Cindy has been there, done that." - Chris Mallow, University of Oklahoma
"Cindy is Awesome! She fully understands what is happening in the field and how to do our job better." - John P., Shell Oil

Chris Crowley

Christopher Crowley, a SANS Senior Instructor, has 15 years of industry experience managing and securing networks. He currently works as an independent consultant in the Washington, DC area focusing on effective computer network defense. His work experience includes penetration testing, security operations, incident response, and forensic analysis. "The Mentor of the Year Award is given to SANS Mentors who excel in leading SANS Mentor Training classes in their local communities."

"Chris really knew his stuff and presented ideas that made me change my mind on some policies and configs we employ ." - William Jeskey, Tarrant County College
"Chris was one of the best instructors I have ever had in any training environment in almost 24 years of service." - Anonymous

Need Help? Visit our FAQ page or email

Not able to attend a SANS webcast? All Webcasts are archived so you may view and listen at a time convenient to your schedule. View our webcast archive and access webcast recordings/PDF slides.