Article Lead Image

Illustration by Max Fleishman

This Chinese malware is making its creators $300,000 per month

The malware may have come from an advertising agency.


AJ Dellinger


Posted on Aug 2, 2016   Updated on May 26, 2021, 8:37 am CDT

Advertisements on mobile devices aren’t just annoying, they can also be malicious. According to a report from cybersecurity experts, a Chinese group has spread malware to Android users that is generating over $300,000 per month in revenue.

The findings come from security firm Check Point, which started tracking the malicious virus in February. In the months since it was first discovered, the malware, knowing as HummingBad, has wormed its way onto 10 million Android devices. 

Most HummingBad infections stem from “drive-by download” attacks, which download the devious software when a user visits a website that hosts it. It attempts to gain root access, allowing it to have control over every aspect of the phone. If that fails, a secondary component creates a fake system update notification that tricks users into granting the virus system-level permissions on the device.

Once installed on the phones and granted the privileges it requires to operate, HummingBad gets to work generating revenue through shady tactics, including installing additional applications on the device and injecting and displaying advertisements that make money when clicked.

Researchers at Check Point suggest the malware is making over $300,000 per month for its creator. According to Check Point, the people benefiting from HummingBad’s behavior are developers at Yingmob, a seemingly legitimate mobile advertising and analytics firm based in Beijing. 

A subsidiary of the multi-million dollar advertising company MIG Unmobi Technology, Yingmob offers its services deploying pop-ups, sidebars, and in-app ads on mobile platforms. The company produces its own mobile apps, which have been installed on an estimated 85 million smartphones.

Check Point claims that a portion of Yingmob’s staff—the 25 people employed as part of the “Development Team for Overseas Platform”—is behind the HummingBad malware.

Yingmob’s noteworthy status as a genuine business makes the proposition of a secretive and malicious click farm a troubling prospect, as the team is able to dedicate an infrastructure to creating and maintaining the malicious service.

The dangers of HummingBad may run much deeper than just serving up and clicking an inordinate amount of ads; the virus can be used to collect user information to be sold or used for a variety of purposes. The group can also sell direct access to the phones that are affected.

Most of victims of HummingBad are in China, with 1.6 million affected users, and India, with 1.35 million. Users in Indonesia, the Philippines, and Turkey have also been disproportionately hit by the virus. There are nearly 290,000 instances of HummingBad in the United States.

Malware has been hitting mobile hard in recent months, as users on both Android and iOS have been targeted. Increasingly effective and malicious attacks have done everything from change PIN codes on lock screens to hijack the functions of a device while it appears to be off. Even iOS, which is generally considered to be less at risk to attack, has been affected by bad actors who managed to sneak infected code behind Apple’s walled garden of apps.

H/T V3

Share this article
*First Published: Aug 2, 2016, 3:03 pm CDT