The malware called Hummingbad has reportedly infected over 10 million Android devices, researchers at the security firm Check Point are reporting. Importantly, they now claim to have tracked down where it's originating from. They first discovered the malware back in February, and they've now traced it to a Chinese advertising firm that doubles as a legitimate company.
Yingmob, the team managing the malware, runs side-by-side with an advertising and analytics agency, according to the report. It is a pretty typical looking ad company, but their malware generates up to $300,000 a month through fraudulent app installs and ad clicks.
Check Point points to Yingmob as an example of how the worst malware companies are capable of supporting themselves independently. "The group is highly organized with 25 employees that staff four separate groups responsible for developing HummingBad’s malicious components," says the report.
"Emboldened by this independence, Yingmob and groups like it can focus on honing their skill sets to take malware campaigns in entirely new directions, a trend Check Point researchers believe will escalate," the researchers say. "For example, groups can pool device resources to create powerful botnets, they can create databases of devices to conduct highly-targeted attacks, or they can build new streams of revenue by selling access to devices under their control to the highest bidder."
On top of the 10 million users actively using these "malicious apps," the report says that Yingmob has access to 85 million devices globally with the ability to sell access to infected devices, as well as the information that passes through them. The malware is predominantly hitting devices in China (1.6 million infected) and India (1.3 million), but it's a global situation with 282,800 devices residing in the United States. There are 20 countries that have at least 100,000 infected devices.
The report notes that the $300,000 a month for Yingmob is "just the tip of the iceberg... The group tries to root thousands of devices every day and is successful in hundreds of attempts." That makes it a growing problem for Android users. Though iPhone users aren't free from these kind of attacks either. The researchers also found that Yingmob is associated with the Yispecter iOS malware, which targets non-jailbroken iPhone users.