More than 10 million Android devices – and 100,000 in the UK alone – have been infected by a particularly nasty malware dubbed Hummingbad.
First discovered by Check Point in February, more details have now been revealed after the security experts spent five months with ‘unprecedented, behind-the-scenes access’ to a group of cybercriminals in China.
Called Yingmob, this group – a Chinese mobile ad server – is said to generate $300,000 per month in fraudulent ad revenue and effectively controls an arsenal of millions of mobile devices around the world.
The malware establishes a persistent rootkit on Android devices, generates fraudulent ad revenue, and installs additional fraudulent apps.
Following the command and control (C&C) servers used by the original HummingBad samples detected in February, researchers found the attackers’ repositories.
While other research firms have linked Yingmob with an iOS malware called Yispecter, Check Point said its researchers discovered the same group is also behind HummingBad. Hummingbad runs alongside a legitimate advertising analytics business, sharing technology and resources, enabling it to control tens of millions of Android devices.
Half of those infected by Hummingbad are running Android KitKat, followed by 40 per cent running Jellybean, 7 per cent running Lollipop, 2 per cent on Ice Cream Sandwich and the remaining 1 per cent on Marshmallow. The majority are in China and India.
With its rooted devices, the group can create a botnet, carry out targeted attacks on businesses or government agencies, and even sell the access to other cybercriminals on the black market, Check Point said in its report.
People can become infected by browsing sites containing the malware, which attempt to take control of the device through ‘root access.’ If it fails, it sends fake system update notifications in a further attempt to trick users into granting the malware system-level permission. Once infected, personal data from photos to passwords on these devices are at risk, including enterprise data.
“Yingmob may be the first group to have its high degree of organisation and financial self-sufficiency exposed to the public, but it certainly won’t be the last,” said Check Point.
“[We] believe this dangerous trend will escalate as other groups learn from Yingmob and find new ways to achieve the independence they need to launch larger and more sophisticated attack campaigns in the future.”
Check Point advises Android users to install anti-virus software, check their root permissions and to keep their software and apps up-to-date.