A security software maker says that Chinese cybercriminals have gained access to millions of smartphones around the world.
At least 10 million Android devices have been infected by malware called HummingBad, according to
cybersecurity software maker Check Point.
Check Point, which has been tracking the malware since it wasdiscovered in February, has released an analysis of the threat. For months, the number of infections were steady but they spiked sharply in mid-May.
What makes HummingBad particularly interesting is the group behind it, which according to Check Point is a team of developers at Yingmob, an otherwise legitimate, multimillion-dollar advertising analytics agency based in Beijing.
"Yingmob has several teams developing legitimate tracking and ad platforms," Israel-based Check Point said in the analysis released Friday. "The team responsible for developing the malicious components is the 'Development Team for Overseas Platform' which includes four groups with a total of 25 employees."
HummingBad began as a "drive-by download attack," in which phones were infected when people visited websites.
"The first component attempts to gain root access on a device with…rootkit [software]that exploits multiple vulnerabilities. If successful, attackers gain full access to a device," Check Point said. "If rooting fails, a second component uses a fake system update notification, tricking users into granting HummingBad system-level permissions."
This access is used to generate fraudulent advertising revenue — apparently up to $300,000 per month — through the forced downloading of apps and clicking of ads.
But it's not just fake ad revenue at stake here because the group is able to sell access to phones and give away information held on them, Check Point said. The security company estimates that over 85 million smartphones have the group's apps installed, though only a small percent include the malicious software.