Online Training Special Offer: Get an iPad (32G), Galaxy Tab A, or $250 Off Online Training!


To attend this webcast, login to your SANS Account or create your Account.

Hummingbad: Tools & Techniques To Use When Inspecting Android Applications

  • Friday, December 9th, 2016 at 1:00 PM EST (18:00:00 UTC)
  • Cindy Murphy and Chris Crowley
This webcast has been archived. You can view the webcast presentation and download the slides by logging into your SANS Portal Account or creating an Account. Click the Register Now button after you have logged in to view the Webcast.

You can now attend the webcast using your mobile device!


This presentation explores methodology for performing malware analysis. We use the specific case of the Hummingbad family of malware since it is a substantial collection of variants, has substantial functionality, and represents the ongoing trend of organized, revenue producing malware that is also used to steal information. Android malware is substantially more common that iOS malware.

Android users can choose to disable the Unknown sources Allow installation of apps from unknown sources and install applications from anywhere. Malware uses social engineering tricks to dupe victims into installing the malware. These tricks include: appearing to be a different application; sending text messages from a compromised phone to another person compelling him to install the application for some reason; threats of an infected phone, and suggestion to install anti-virus software which is actually malware. Incidentally, Hummingbads creators are attributed as also creating an iOS malware called YiSpecter.

The Hummingbad family of malware had hundreds of variants discovered. Estimates of infected phones is in the millions and monthly fraudulent ad revenue is about $300,000 USD. The malicious behavior included: persistent root, installation of ad revenue producing apps, and key logger collection of credentials to steal information within protected containers. Its spreading vectors includes drive by downloads, and fraudulent applications purporting to be pornography. It also tries to trick users into installing software, claiming to be an update, in order to root the phone.

In this webcast, Cindy Murphy and Christopher Crowley will show tools and techniques you can use to inspect Android applications to determine if they exhibit malicious behavior, using the Hummingbad family of malware as example specimens. This methodology can be employed as forensic analysis and can also be used in application assessments to determine if an application is suitable for use within an organization.

FOR585 Advanced Smartphone Forensics Course Instructor: Cindy Murphy
SEC575 Mobile Device Security and Ethical Hacking Instructor: Chris Crowley
For more information or to register visit:

The topic cover in this webcast is just a sample of the many important subjects covered in both FOR585 Advanced Smartphone Forensics and SEC575 Mobile Device Security and Ethical Hacking. To learn more about these courses or to find training near you, visit or

Speaker Bios

Cindy Murphy

Cindy Murphy, is co-owner, president and lead investigator at Gillware Digital Forensics. Cindy Murphy served in law enforcement for more than 30 years, including 24 years as a detective with the Madison Police Department in Wisconsin. During 17 of those years she worked as a certified digital forensics examiner. She is a SANS certified instructor and co-author of the SANS FOR585 Advanced Smartphone Forensics course. She earned her MSc in Forensic Computing and Cyber Crime Investigation through University College in Dublin. Cindy is also a veteran, a mother, a musician, a protester for first amendment rights, a Brittany Spaniel enthusiast, and an expert knot tier.

"Good, real-world experience. Clearly, Cindy has been there, done that." - Chris Mallow, University of Oklahoma
"Cindy is Awesome! She fully understands what is happening in the field and how to do our job better." - John P., Shell Oil

Chris Crowley

Mr. Crowley has 15 years of industry experience managing and securing networks. He currently works as an independent consultant in the Washington, DC area. His work experience includes penetration testing, computer network defense, incident response, and forensic analysis.

Mr. Crowley is the course author for SANS Management 535 - Incident Response Team Management and holds the GSEC, GCIA, GCIH (gold), GCFA, GPEN, GREM, GMOB, and CISSP certifications. His teaching experience includes SEC401, SEC503, SEC504, SEC560, SEC575, SEC580, FOR585, and MGT535; Apache web server administration and configuration; and shell programming. He was awarded the SANS 2009 Local Mentor of the year award. "The Mentor of the Year Award is given to SANS Mentors who excel in leading SANS Mentor Training classes in their local communities."

"Chris really knew his stuff and presented ideas that made me change my mind on some policies and configs we employ ." - William Jeskey, Tarrant County College
"Chris was one of the best instructors I have ever had in any training environment in almost 24 years of service." - Anonymous

Need Help? Visit our FAQ page or email

Not able to attend a SANS webcast? All Webcasts are archived so you may view and listen at a time convenient to your schedule. View our webcast archive and access webcast recordings/PDF slides.