The malware installs on devices, generates fraudulent ad revenue and installs fraudulent apps.
Nearly 10 million Android phones have been affected by HummingBad malware, which originates from a Chinese cyber criminal group known as the Yingmob, according to Check Point.
Check Point’s competitor Lookout claims to have discovered HummingBad malware in November last year, while Check Point claims to have discovered the malware in February this year. However, researchers at both the companies agree that it has been steadily growing in activity and numbers ever since.
The malware installs as rootkit on Android devices, seemingly as a legitimate app like Facebook, Twitter, Whatsapp and Okta’s enterprise single sign-on app. The malware generates fraudulent ad revenues and also installs additional malware apps.
According to Lookout, HummingBad goes by another name Shedun and has three similar families known by the names Shuanet, ShiftyBug and BrainTest.
Lookout official Kristy Edwards said: Shedun and the related families follow a particular pattern — they are adware that silently roots devices, allowing them to remain persistent even if the user performs a factory reset.
“Shedun also uses its root privileges to install additional apps onto the device, further increasing ad revenue for the authors and defeating uninstall attempts.
“We have observed a recent spike in Shedun detections on Lookout’s mobile threat network. We believe this is attributable to the authors building new functionality or distributing the malware in new ways.”
According to Check Point that the creator of HummingBad Yingmob runs alongside a legitimate Chinese advertising analytics company and shares its resources and technology. The group works in an organised way, with 25 employees divided into four groups. Each of these groups develops different components of the malware.
Check Point further claims that Yingmob uses HummingBad to control about 10 million Android devices globally and can generate about $300,000 per month in fraudulent ad revenues.
It says that such organisational structure proves that cyber criminals can become financially self-sufficient.
With experience and skills development, cyber criminals can take malware apps into a whole new direction. Check Point also raises concerns that the next step these criminals could do is to look for a highest bidder to sell all this data to.
They can pool up resources with other gangs and launch powerful attacks or create databases of devices and launch highly targeted attacks. Either ways, millions of users with their personal data on devices are vulnerable for exposure.