Check Point Security Investigates Chinese Advertiser Behind Hummingbad Android Malware

malwareA Chinese group has engineered an Android-based malware campaign that may have ensnared as many as 85 million Android devices and, more importantly, generating an estimated $1 million every three months.

According to security software and services Check Point, the Yingmob gang—which they have been watching for five months—is sophisticated, well-staffed, and extremely profitable.

The vulnerability tool they are using is something known simply as “HumminBad,” Check Point Security explains in its “From HummingBad to Worse” report.

The report says, “Yingmob runs alongside a legitimate Chinese advertising analytics company, sharing its resources and technology. The group is highly organised with 25 employees that staff four separate groups responsible for developing HummingBad’s malicious components.”
In a blog post, Check Point explains, “HummingBad is a malware Check Point discovered in February 2016 that establishes a persistent rootkit on Android devices, generates fraudulent ad revenue, and installs additional fraudulent apps.”

Check Point also explains that this malware has some parts that resemble the YiSpecter problem that had originally targeted Apple users via the iOS landscape, mostly affecting people in China.  And they argue that this is not a coincidence as they come from the same source.

Check Point continues, “Yingmob uses HummingBad to generate $300,000 a month in fraudulent ad revenue. This steady stream of cash, coupled with a focused organisational structure, proves that cyber criminals can easily become financially self-sufficient.”

The security firm estimates that HummingBad—on its own—probably delivers more than 20 million ads every day with a click rate of 12.5 percent. That is equal to roughly 2.5 million clicks per day.  In addition, HummingBad likely installs more than 50,000 fraudulent apps every day.
To simplify this information, Yingmob earns more than $3,000 a day—from clicks alone—and an additional $7,500 from the installation of fraudulent apps. This equals out to roughly $300,000 every month (or approximately $3.6 million every year).

They go on to explain that their continued success in the hack could only make matters worse as more time passes.  They say, “Emboldened by this independence, Yingmob and groups like it can focus on honing their skills. For example, groups can pool device resources to create powerful botnets, they can create databases of devices to conduct highly targeted attacks, or they can build new streams of revenue by selling access to devices under their control to the highest bidder.”