Freely subscribe to our NEWSLETTER

For five months, Check Point’s researchers had unprecedented access to the inner-workings of Yingmob, a group of Chinese cyber criminals behind the HummingBad malware campaign. HummingBad establishes a persistent rootkit on Android devices to generate fraudulent ad revenue, and installs additional fraudulent apps to increase the revenue stream for the fraudster.

Yingmob uses HummingBad to control 85 million devices globally to generate $300,000 per month in fraudulent ad-click revenue and fraudulent app downloads. This steady stream of cash, coupled with a focused organizational structure, proves cyber criminals can easily be financially self-sufficient. Yingmob runs alongside a legitimate Chinese advertising analytics company, sharing its resources and technology. The group is highly organized with 25 employees staffing four separate groups responsible for developing HummingBad’s malicious components: they are based in Chongqing, China, one of 5 national central cities in the country.

As the infected Android devices have been rooted, the criminals have complete access to the devices for other purposes, such as pooling device resources to create powerful botnets, creating databases of devices to conduct highly-targeted attacks, or selling access to devices under their control to the highest bidder. Any data on infected devices is at risk, including enterprise data for users whose devices serve dual personal and work purposes. Without the ability to detect and stop suspicious behavior, these millions of Android devices and the data on them remain exposed.

Users may not be aware they are infected, and it cannot easily be removed, even by a factory reset of a device. Users would need to re-flash their device with a fresh install of Android to remove it.