When we discuss mobile malware we usually look at the technological aspects, specifically how it's designed, how it spreads, what devices it targets, how it affects them after infection, and how it can removed.
What we rarely get to talk about is the financial side of things, which in the case of certain types of malware is the primary interest of their creators.
Check Point has published a report on the HummingBad malware campaign, finding that it generates $300,000 a month in fraudulent revenue with a pool of 85 million infected Android devices across the globe at its disposal. In a year attackers are looking at about $3.6 million in revenue, assuming the number of devices does not expand considerably.
The malware behind HummingBad is created by a group of Chinese hackers, who generates that kind of revenue by selling access to the infected devices to, basically, "the highest bidder". The malware is a persistent Android rootkit, which enables the attackers to install apps to serve advertisements.
Check Point estimates the number of malicious apps to be roughly 50, which have almost 10 million users in countries like China, India, and Philippines. The victims are primarily using KitKat (50 per cent) or Jelly Bean (40 per cent), while only one per cent of them are on the latest-available version of Android, namely Marshmallow.
The security firm has connected HummingBad to a Chinese mobile ad server company, called Yingmob, which is also associated with iOS malware Yispecter. This operation features three projects in development with multiple product lines, which suggests that we are looking at a well organised group.
There is even an address provided, which in my experience is unusual, which is Level 5, Xingdu Plaza, 73 Beiqu Rd., Yuzhong, Chongqing, China. That is where the so called "Development Team for Overseas Patform", which is responsible for the development of the malicious components of Yingmob's malware business, can be found.
The interesting thing is that the HummingBad campaign shares the technology and resources of what is believed to be a legitimate advertising analytics business, which is what allows it to control so many Android devices. Check Point says that the group behind the campaign successfully roots hundreds of devices every day, out of thousands of attempts.
While it currently only does so for advertising purposes, it is possible to utilise that pool of infected devices to create a botnet to carry out a cyberattack, for instance. There is also the risk of data theft, which can open new revenue streams for the attackers.
If you want to read more about HummingBad, hit this link to read Check Point's report.
Photo Credit: vectorfusionart/Shutterstock