Yingmob Chinese Ad Company infected 10 million Android devices for click revenue

Pierluigi Paganini July 06, 2016

Chinese Ad company Yingmob ’s developers are allegedly responsible for the infection of approximately 10 million Android devices.

Chinese Ad company Yingmob’s developers are allegedly responsible for the infection of approximately 10 million Android devices which is reportedly generating an income of around $300,000 USD per month.

CheckPoint, the security company famous for their network security devices and software, stated on their blog that they had discovered the malware on 2 devices belonging to employees at a financial services company.

The malware, named Hummingbad, establishes a rootkit on infected devices with the objective of generating fraudulent ad revenue.

“For five months, Check Point mobile threat researchers had unprecedented access to the inner-workings of Yingmob, a group of Chinese cyber criminals behind the HummingBad malware campaign. ” states the blog post from CheckPoint.

CheckPoint have been actively monitoring this particular campaign since February.  Their investigation into Yingmob and their activities have uncovered the company’s building location, organisational structure, and even their office seating plan.

Yingmob employees are organised into three teams which includes developers dedicated to building the components, ad server application package (apk) and the server analytics platform.

CheckPoint also report that access to infected handsets as well as the information gleaned from the devices is also being sold by the Chinese organisation.

Once installed, Hummingbad has the ability to install key-loggers, capture user credentials, personal data and even bypass encrypted email containers, generating a major concern for enterprise players using Android mobile devices within their estate.

Its method of operation consists of 2 main attack vectors; the first checks for root status on the device and if not already available, launches a series of attacks to perform privilege escalation in order to get it. The second stage initiates a connection to a Command and Control (C2) Server and downloads additional malicious content, some containing dropper capabilities and others for rooting.

Compromised devices are then manipulated to display some of the organisation’s 20 million ads, which attract a combined total of around 2.5 million clicks.

The company has been accused in the past of producing mobile malware for both iOS and Android devices.

They are attributed with creating what was recognised as the first iOS malware, Yispecter, a malicious suite which affected unpatched iPhones, both jailbroken and non-jailbroken, with the ability to hijack most of the phones operation including replacing existing apps with malicious versions, mining the user’s personal data as well as reconfiguring browser settings in Safari.

Access to Yingmob’s control panel reveals that of the company’s 200 applications around 50 of these are deemed as malicious.

CheckPoint have reported the spread of this current infection to include some 1.6 million Chinese devices, 1.4 million in India and over 285,000 in the US. The UK and Australia are thought to have less than 100,000 devices affected.

Yingmob HummingBad malware

The research further states that approximately a half of the infected users are running the KitKat OS with another 40 per cent using Lollipop.

For more information Download the report “From HummingBad to Worse” published by CheckPoint security.

Written by: Steven Boyd

Steven BoydSteven is a security consultant, researcher, ethical hacker and freelance writer with over 16 years of experience in the industry. He has provided security consultancy to some of the world’s biggest banks, the private sector as well as public services and defense. He is the owner and creator of security blog www.CybrViews.com.

Twitter: @CybrViews






[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs –Yingmob, cybercrime)

you might also like

leave a comment