Security Architecture, Endpoint/Device Security, Endpoint/Device Security, Security Strategy, Plan, Budget, Incident Response, TDR, Threat Management, Threat Management, Malware, Endpoint/Device Security, Endpoint/Device Security, Endpoint/Device Security

Researchers: Chinese mobile ad company is behind HummingBad Android malware

A malicious, criminal division of an otherwise legitimate Chinese tech company is behind a mobile malware distribution campaign that currently generates around $300,000 a month, according to an in-depth threat analysis by Check Point Software Technologies.

The malware, called HummingBad, was initially discovered in February 2016, and is known to root Android devices, primarily for the purpose of generating revenue through fake ad clicks and fraudulent app installations. Check Point claims that Yingmob, a Chinese mobile ad server and analytics business, is developing and distributing this malware through a special corporate division of 25 employees known as its Development Team for Overseas Platform. Yingmob's more benign operations allegedly shares its ample technology and resources with this malicious department.

During its analysis of the HummingBad malware code, Check Point uncovered notifications to Umeng, a tracking and analytics service used to manage Yingmob's campaigns. Researchers found nearly 200 apps referenced on this control panel, about 25 percent of which are malicious in nature. According to Check Point, almost 85 million devices have installed at least one of these 200 apps, while approximately 10 million devices specifically downloaded a malicious one.

Further analysis revealed that the HummingBad malware installs over 50,000 fraudulent apps daily. Due to its allegedly criminal tactics, Yingmob also displays over 20 million ads per day, yielding more than 2.5 million clicks – resulting in an unusually high click rate of 12.5 percent. With an average revenue-per-click of $0.00125, Yingmob makes more than $3,000 daily in clicks alone, while earning another $7,500 per day from fraudulent app installations, the report continues.

“This is the first time we were able to look into the back-end of a cybercriminal campaign and see how much money they actually generate,” said Michael Shaulov, head of mobility product management at Check Point, in an interview with “I would assume as this campaign continues it will just increase.”

Check Point first made the connection between Hummingbad and Yingmob after an analysis of malware samples led to the Chinese company's repositories. Yingmob has already been associated with iOS malware known as Yispecter, and according to Check Point, these campaigns share the same command-and-control server addresses, among other similarities.

Of the 10 million-or-so Android devices found to be infected by HummingBad, about 16 percent belong to users in China (or about 1.6 million devices). India had the next most infected devices (approximately 1.35 million), while the U.S. was eighth with 286,800.

Though financial gain via fraud is the attacker's primary motivation, Check Point warned that HummingBad's rooting capabilities essentially gives adversaries the power to conduct even more damaging campaigns in the future.

For the infected, “The scary part is that there is a backdoor that now can be utilized by any other cybercriminal group” that might partner with Yingmob and piggyback on their work, said Shaulov. These additional cybercriminal campaigns could then potentially steal banking credentials, eavesdrop on users or use devices as bots to carry out distributed denial of service attacks.

Bradley Barth

As director of multimedia content strategy at CyberRisk Alliance, Bradley Barth develops content for online conferences, webcasts, podcasts video/multimedia projects — often serving as moderator or host. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.