Chinese Ad Network's Monthly Profits From Android Malware Top $300,000

Over five months, a Chinese mobile advertising network has infected more than 85 million Android devices generating fake clicks and forcing more than 200 apps on victims for cash, according to security firm Check Point.

Android security

A Chinese mobile advertising firm has reaped more than $300,000 a month by infecting 85 million Android smartphones with malware, known as HummingBad, and using its control over the devices to fake advertising clicks and install unwanted applications, according to research published by security firm Check Point Software Technologies.

The firm, known as Yingmob, also legitimately sells mobile advertising, but its fraudulent efforts have reaped significant rewards for a group within the firm, whose name translates to "Development Team for Overseas Platform," Check Point stated in its report. The company's use of fraud nets more than 2.5 million clicks per day, totaling more than $3,000, and installs more than 50,000 fraudulent apps per day, totaling about $7,500.

"We've seen highly targeted attacks that expose sensitive and valuable information," Michael Shaulov, head of mobility product management at Check Point, told eWEEK. "But none until HummingBad have had a clear strategy of hiding behind a legitimate business to generate the money needed to stay alive and, more worrisome, to grow."

Check Point has been tracking the current operation since February, when the malware started spreading, according to data on a command-and-control server found by the company. However, in a July 7 blog post, mobile security firm Lookout argued that the attack is a variant of another piece of malware, Shedun, which appeared last November.

Both companies detected a massive spike in infected Android devices in the past month.

The malware and fraud network mainly impacts citizens in Southeast Asia. More than 10 million people currently have the applications running on their devices, with the top five impacted countries—accounting for about two-thirds of all infections—being China, India, the Philippines, Indonesia and Turkey. The United States is the eighth most impacted country, with less than 300,000 victims, according to Check Point.

Initially, Check Point saw the first HummingBad instances infecting devices through drive-by downloads, where the user visited a site that attempted to exploit vulnerabilities or trick the user into installing the app. More recently, the fraud group has embedded the malware into adult-themed apps from third-party stores.

Android device owners should avoid downloading apps from unofficial app stores and realize that jailbreaking a smartphone undermines much of the device's security, Shaulov said.

"The best way for consumers to stay protected is to be smart about where and how they install apps on devices," he said.

Check Point also warned that the attackers may not stop with turning compromised devices into cash. Nontraditional devices are increasingly being used to create botnets, and mobile devices could be used as a launchpad for future attacks, the company said.

"Yingmob's apparent self-sufficiency and organizational structure make it well-positioned to expand into new business ventures, including productizing the access to the 85 million Android devices it controls," the company said.

Robert Lemos

Robert Lemos

Robert Lemos is an award-winning freelance journalist who has covered information security, cybercrime and technology's impact on society for almost two decades. A former research engineer, he's...