Chinese ad firm is behind HummingBad Android malware

A malicious, criminal division of an otherwise legitimate Chinese tech company is behind a mobile malware distribution campaign that currently generates around US$300,000 a month, according to security researchers.

Check Point this week published an in-depth threat analysis [pdf] following a five-month investigation into malware dubbed HummingBad, which was originally discovered in February.

It is known to root Android devices, primarily for the purpose of generating revenue through fake ad clicks and fraudulent app installations.

Check Point claims that Yingmob, a Chinese mobile ad server and analytics business, is developing and distributing the malware through a special corporate division of 25 employees known as its Development Team for Overseas Platform. Yingmob's more benign operations allegedly shares its ample technology and resources with this malicious department.

During its analysis of the HummingBad malware code, Check Point uncovered notifications to Umeng, a tracking and analytics service used to manage Yingmob's campaigns.

The researchers found nearly 200 apps referenced on this control panel, about 25 percent of which are malicious in nature. According to Check Point, almost 85 million devices have installed at least one of these 200 apps, while approximately 10 million devices specifically downloaded a malicious one.

Further analysis revealed that the HummingBad malware installs over 50,000 fraudulent apps daily. Due to its allegedly criminal tactics, Yingmob also displays over 20 million ads per day, yielding more than 2.5 million clicks – resulting in an unusually high click rate of 12.5 percent.

With an average revenue-per-click of US$0.00125, Yingmob makes more than US$3000 daily in clicks alone, while earning another US$7500 per day from fraudulent app installations, Check Point said.

“This is the first time we were able to look into the back-end of a cybercriminal campaign and see how much money they actually generate,” Michael Shaulov, head of mobility product management at Check Point, said.

“I would assume as this campaign continues it will just increase.”

Check Point first made the connection between Hummingbad and Yingmob after an analysis of malware samples led to the Chinese company's repositories. Yingmob has already been associated with iOS malware known as Yispecter, and according to Check Point, these campaigns share the same command-and-control server addresses, among other similarities.

Of the 10 million-odd Android devices found to be infected by HummingBad, about 16 percent belong to users in China (or about 1.6 million devices). India had the next most infected devices (approximately 1.35 million).

Though financial gain via fraud is the attacker's primary motivation, Check Point warned that HummingBad's rooting capabilities essentially gives adversaries the power to conduct even more damaging campaigns in the future.

“The scary part is that there is a backdoor that now can be utilised by any other cybercriminal group” that might partner with Yingmob and piggyback on their work, Shaulov said.

These additional cybercriminal campaigns could then potentially steal banking credentials, eavesdrop on users or use devices as bots to carry out distributed denial of service attacks.