A recent report by cyber security research firm Check Point shed new light on one of the largest attacks on mobile devices perpetrated in recent years. The report tracked the spread of the malware called HummingBad which was first discovered in February. Since then it has spread to infect an estimated 10 million Android devices.
The most interesting aspect of the report was less about the scope of the attack and more about its source. The researchers at Check Point discovered that HummingBad was developed by a team working within Yingmob, an advertising analytics firm based out of Beijing.
The team used the IT infrastructure already in place at Yingmob to serve as the foundation for their malware attacks. A total of four groups totaling around 25 people who had been tasked with development on overseas platforms were instead leveraging company resources to attack Android devices.
Devices are exposed to HummingBad after visiting malicious websites. If the malware is not properly installed after the visit, it launches a second attack disguised at an update notification. Once infected, the creators of HummingBad have full control of the device.
Thus far, most of these infected devices have been used to fraudulently generate advertising revenue by forcing the devices to download apps and click ads. Experts estimate that this revenue stream alone nets $300,000 a month.
A far more destructive and lucrative threat could be looming, however. Since HummingBad gives cyber criminal complete access to a device, it’s especially easy to scour the device for sensitive information, or to sell access to a third party. Those in possession of the access could potentially exploit the device in dozens of different ways. Since there is no easy way to identify the presence of HummingBad on a device, most users are unaware of the infection and taking no extra safety precautions.
The majority of the devices that have been infected are located in India and China, with a reported 1.35 million and 1.65 million devices impacted respectively. The US is estimated to have 288,000 infected devices, while countries like the UK and Australia are believed to have fewer than 100,000 infected devices.
The team exposed within Yingmob is an outlier in the cyber crime community since it operated under a well respected front and piggybacked on the IT resources of a major company. That condensed the development time of Hummingbird while significantly extending it’s reach. The group is also suspected of developing malware for Apple devices.
Officials at Google have said they are aware of the malware and are taking steps to detect and block it.