A malicious, criminal division of an otherwise legitimate Chinese tech company is behind a mobile malware distribution campaign that currently generates around $300,000 a month, according to an in-depth threat analysis by Check Point Software Technologies.
The malware, called HummingBad, was initially discovered in February 2016, and is known to root Android devices, primarily for the purpose of generating revenue through fake ad clicks and fraudulent app installations. Check Point claims that Yingmob, a Chinese mobile ad server and analytics business, is developing and distributing this malware through a special corporate division of 25 employees known as its Development Team for Overseas Platform. Yingmob's more benign operations allegedly shares its ample technology and resources with this malicious department.
During its analysis of the HummingBad malware code, Check Point uncovered notifications to Umeng, a tracking and analytics service used to manage Yingmob's campaigns. Researchers found nearly 200 apps referenced on this control panel, about 25 percent of which are malicious in nature. According to Check Point, almost 85 million devices have installed at least one of these 200 apps, while approximately 10 million devices specifically downloaded a malicious one.
Further analysis revealed that the HummingBad malware installs over 50,000 fraudulent apps daily. Due to its allegedly criminal tactics, Yingmob also displays over 20 million ads per day, yielding more than 2.5 million clicks – resulting in an unusually high click rate of 12.5 percent. With an average revenue-per-click of $0.00125, Yingmob makes more than $3,000 daily in clicks alone, while earning another $7,500 per day from fraudulent app installations, the report continues.
“This is the first time we were able to look into the back-end of a cybercriminal campaign and see how much money they actually generate,” said Michael Shaulov, head of mobility product management at Check Point, in an interview with SCMagazine.com. “I would assume as this campaign continues it will just increase.”
Check Point first made the connection between Hummingbad and Yingmob after an analysis of malware samples led to the Chinese company's repositories. Yingmob has already been associated with iOS malware known as Yispecter, and according to Check Point, these campaigns share the same command-and-control server addresses, among other similarities.
Of the 10 million-or-so Android devices found to be infected by HummingBad, about 16 percent belong to users in China (or about 1.6 million devices). India had the next most infected devices (approximately 1.35 million), while the U.S. was eighth with 286,800.
Though financial gain via fraud is the attacker's primary motivation, Check Point warned that HummingBad's rooting capabilities essentially gives adversaries the power to conduct even more damaging campaigns in the future.
For the infected, “The scary part is that there is a backdoor that now can be utilized by any other cybercriminal group” that might partner with Yingmob and piggyback on their work, said Shaulov. These additional cybercriminal campaigns could then potentially steal banking credentials, eavesdrop on users or use devices as bots to carry out distributed denial of service attacks.