Chinese Ad Firm Raking in $300K a Month Through Adfraud, Android Malware

The same group of cybercriminals behind YiSpecter, a strain of iOS malware uncovered last year, are also behind a new type of Android malware, HummingBad.

The same group of cybercriminals behind a strain of iOS malware uncovered last year have apparently diversified and now dabble in Android malware.

The group, dubbed Yingmob, has been running a malware campaign named HummingBad that controls 10 million Android devices globally and rakes in $300,000 a month, researchers said on Friday.

According to researchers at Check Point, who watched the group spread malware over the course of five months, the group is the side business of a legitimate Chinese advertising analytics firm, Yingmob, that runs the campaign in tandem with the company’s usual business,

Researchers in February found the malware, which sets up a persistent rootkit on devices for carrying out ad fraud, but weren’t entirely clear on its connection to Yingmob until it traced the campaign’s source, shortly after that research was published.

HummingBad shares repositories for the command and control servers with YiSpecter, a strain of iOS malware that also carried out ad fraud, discovered last year. Both types of malware link back to Yingmob, a company that claims it’s based in Beijing but apparently also operates a team for developing malware more than 250 miles across the country in Ghongqing.

Check Point researchers did a deep dive on the company’s malware division and discovered it’s composed of 25 employees who work on three separate projects: Building the malicious components for HummingBad; overseeing the ad server analytics platform; and overseeing the ad server APK.

According to researchers, about 10 million users, mostly based in China and India, are using malicious apps that feature HummingBad code. The code sends notifications to Umeng, a Chinese analytics firm, where attackers can check for status updates.

When researchers looked at the company’s Umeng account, they found that the campaign attempts to root thousands of devices a day, hundreds of which are successful.

“The malware is rooting hundreds, if not thousands, of devices daily,” Dan Wiley, Head of Incident Response at Check Point told Threatpost Tuesday, “Sometimes the malware is unsuccessful at rooting those infected devices, but not always.”

As far as the ad fraud campaign goes, it really does it all: HummingBad displays ads – more than 20 million per day, creates clicks – more than 2.5 million per day, and installs bogus apps – more than 50,000 per day.

The company’s malware-producing arm has been quite the success, researchers say. The revenue it accumulates from clicks per day is in excess of $3,000. For each fraudulent app it peddles, it makes an additional $7,500 per day. That’s about $10,000 a day and $30,000 a month; consistent paydays which help the group maintain its autonomy.

Researchers claim that with as many devices as HummingBad has in its reach – 85 million Android devices are infected with Hummingbad but only a fraction of them have been rooted – the campaign has the potential to grow, either via a botnet, or through targeted attacks on businesses or government agencies.

“Yingmob’s apparent self-sufficiency and organizational structure make it well-positioned to expand into new business ventures,” researchers wrote in Check Point’s report (.PDF), “including productizing the access to the 85 million Android devices it controls.”

When YiSpecter was uncovered last year, researchers with Palo Alto speculated it was developed by Yingmob, as many of its components were signed by certificates issued to the company under Apple’s iOS Developer Enterprise Program. That malware, which researchers claimed had been in the wild for 10 months, leveraged private APIs to load pornographic adware onto devices in China and Taiwan.

Suggested articles