Tuesday, 21 November 2017

HummingBad Android malware controls 85m devices globally

Check Point
Tuesday 05 July 16

A persistent Android malware infection called Hummingbad, discovered by Check Point in February 2016, has control of 85 million devices globally and generates an estimated $300,000 per month in fraudulent ad revenue for the criminals behind it, according to new research by Check Point&rsquo…

A persistent Android malware infection called Hummingbad, discovered by Check Point in February 2016, has control of 85 million devices globally and generates an estimated $300,000 per month in fraudulent ad revenue for the criminals behind it, according to new research by Check Point’s mobile research team.

Yingmob, a group of Chinese cyber criminals, is behind the HummingBad malware campaign. HummingBad establishes a persistent rootkit on Android devices to generate fraudulent ad revenue, and installs additional fraudulent apps to increase the revenue stream for the fraudster.

Yingmob uses HummingBad to control 85 million devices globally to generate $300,000 per month in fraudulent ad-click revenue and fraudulent app downloads. This steady stream of cash, coupled with a focused organizational structure, proves cyber criminals can easily be financially self-sufficient.

Yingmob runs alongside a legitimate Chinese advertising analytics company, sharing its resources and technology. The group is highly organized with 25 employees staffing four separate groups responsible for developing HummingBad’s malicious components: they are based in Chongqing, China, one of 5 national central cities in the country.

As the infected Android devices have been rooted, the criminals have complete access to the devices for other purposes, such as pooling device resources to create powerful botnets, creating databases of devices to conduct highly-targeted attacks, or selling access to devices under their control to the highest bidder. Any data on infected devices is at risk, including enterprise data for users whose devices serve dual personal and work purposes. Without the ability to detect and stop suspicious behavior, these millions of Android devices and the data on them remain exposed.

Users may not be aware they are infected, and it cannot easily be removed, even by a factory reset of a device. Users would need to re-flash their device with a fresh install of Android to remove it.


View more of the latest press releases from across the industry or post your company's news.

Please enable JavaScript to view the comments powered by Disqus.

Newsletter signup

Quickly get on board and up to date with the telecoms industry