A persistent Android malware infection called Hummingbad has been found to control 85 million devices globally, generating an estimated $300,000 per month in fraudulent ad revenue for the criminals behind it.
First discovered by Check Point in February 2016, HummingBad is a tool used by Yingmob, a group of Chinese cyber-criminals. HummingBad establishes a persistent rootkit on Android devices to generate fraudulent ad revenue, and installs additional fraudulent apps to increase the revenue stream for the fraudster.
Interestingly, Yingmob runs alongside a legitimate Chinese advertising analytics company, sharing its resources and technology. The group is highly organized with 25 employees staffing four separate groups responsible for developing HummingBad’s malicious components.
Other research firms have associated Yingmob with the malware targeting Apple iOS called Yispecter. Yispecter can download, install and launch arbitrary iOS apps, replace existing apps with those it downloads, hijack other apps’ execution to display advertisements, change Safari’s default search engine, bookmarks and opened pages, and upload device information to the C2 server.
Check Point researchers said in a report that they have confirmed that the same group is also behind HummingBad.
To wit: Yispecter uses Yingmob’s enterprise certificates to install itself on devices; HummingBad and Yispecter share C&C server addresses; HummingBad repositories contain QVOD documentation, an iOS porn player targeted by Yispecter; and both install fraudulent apps to gain revenue.
The steady stream of cash from the two malwares, coupled with a focused organizational structure, proves cyber-criminals can easily be financially self-sufficient, Check Point researchers noted. But the ad revenue isn’t the only line of business that this gambit offers.
As the infected Android devices have been rooted, the criminals have access to the devices for other purposes, such as pooling device resources to create powerful botnets, creating databases of devices to conduct highly-targeted attacks, or selling access to devices under their control to the highest bidder. Any data on infected devices is at risk, including enterprise data for users whose devices serve dual personal and work purposes.
“Without the ability to detect and stop suspicious behavior, these millions of Android devices and the data on them remain exposed,” Check Point researchers noted.
Photo © Mathias Rosenthal