Risk:	high
Damage:	high
Platform(s):	Android OS
Advisory ID:	ngCERT-2026-020002
Version:	nil
CVE:	CVE-2012-6422 and CVE-2013-6282
Published:	March 3, 2026

Summary

---

ngCERT is issuing an alert on the Android systems compromised by multiple malware families, including Android Backdoor, Prizmes (BADBOX-related), Hummer (HummingBad), Rootnik, Triada, and Uupay. These malwares leverage vulnerabilities The combined impact of these malware variants is severe, with consequences including loss of sensitive data, financial fraud, device instability, large-scale botnet participation, and erosion of user trust in mobile ecosystems. Given the widespread use of Android devices across the nation, ngCERT strongly urges government agencies, enterprises, and individuals to promptly apply the latest security patches and adopt proactive security measures to mitigate these threats.

Description & Consequence

---

The aforementioned malware families compromise devices through firmware pre-installation, repackaged apps, or malicious downloads from third-party sources, exploiting the supply chain or user installations. Capabilities include rooting for privilege escalation, data exfiltration, ad fraud, credential theft, SMS interception, and backdoor access. Variants like Triada and Prizmes/BADBOX embed in system partitions for persistence post factory reset, while Hummer and Rootnik leverage exploits such as CVE-2012-6422 and CVE-2013-6282 for rooting, and Uupay enables ad pushing and data collection. Once root access is gained, injections into system processes like Zygote is carried out for persistence. This further enables activities such as data theft, credential interception, ad fraud, botnet integration, remote control, additional malware deployment, and evasion of security measures.

Successful exploitation may result in:

1. Unauthorised access to sensitive data (IMEI, device ID, contacts, SMS, credentials).
2. Financial fraud through ad-click manipulation.
3. Device instability due to unwanted apps, excessive ads, and network traffic.
4. DDoS attacks, proxy abuse, and disinformation campaigns.
5. Persistent backdoor access enabling long-term exploitation.

Solution

---

Organisations and individuals are strongly advised to:

1. Ensure Android OS and security patches are up to date.
2. Limit downloads to official stores like Google Play Store and activate Google Play Protect for real-time scanning and threat detection.
3. Deploy reputable antivirus/EDR tools with behavioural analysis to identify rooting attempts and anomalous activities.
4. Examine new devices for pre-installed malware.
5. Implement Multi-Factor Authentication (MFA).
6. Enforce Mobile Device Management (MDM) policies to restrict unauthorised apps.
7. Educate users on risks of third-party app stores and phishing campaigns.

Reference

---

• https://www.microsoft.com/en-us/security/blog/microsoft-security-intelligence
• https://cybersecuritynews.com/badbox-2-0-infected-over-1-million-android-devices/
• https://www.foxnews.com/tech/fbi-warns-over-1-million-android-devices-hijacked-malware?msockid=23f2f58c52ed629f33e2e3a753ff63d4
• https://www.techbloat.com/hummingbad-malware-infects-10-million-android-devices.html
• https://techbloat.com/hummingbad-malware-infects-10-million-android-devices

 

Revision

---