Chinese Ad company Yingmob’s developers are allegedly responsible for the infection of approximately 10 million Android devices which is reportedly generating an income of around $300,000 USD per month.
CheckPoint, the security company famous for their network security devices and software, stated on their blog that they had discovered the malware on 2 devices belonging to employees at a financial services company.
The malware, named Hummingbad, establishes a rootkit on infected devices with the objective of generating fraudulent ad revenue.
“For five months, Check Point mobile threat researchers had unprecedented access to the inner-workings of Yingmob, a group of Chinese cyber criminals behind the HummingBad malware campaign. ” states the blog post from CheckPoint.
CheckPoint have been actively monitoring this particular campaign since February. Their investigation into Yingmob and their activities have uncovered the company’s building location, organisational structure, and even their office seating plan.
Yingmob employees are organised into three teams which includes developers dedicated to building the components, ad server application package (apk) and the server analytics platform.
CheckPoint also report that access to infected handsets as well as the information gleaned from the devices is also being sold by the Chinese organisation.
Once installed, Hummingbad has the ability to install key-loggers, capture user credentials, personal data and even bypass encrypted email containers, generating a major concern for enterprise players using Android mobile devices within their estate.
Its method of operation consists of 2 main attack vectors; the first checks for root status on the device and if not already available, launches a series of attacks to perform privilege escalation in order to get it. The second stage initiates a connection to a Command and Control (C2) Server and downloads additional malicious content, some containing dropper capabilities and others for rooting.
Compromised devices are then manipulated to display some of the organisation’s 20 million ads, which attract a combined total of around 2.5 million clicks.
The company has been accused in the past of producing mobile malware for both iOS and Android devices.
They are attributed with creating what was recognised as the first iOS malware, Yispecter, a malicious suite which affected unpatched iPhones, both jailbroken and non-jailbroken, with the ability to hijack most of the phones operation including replacing existing apps with malicious versions, mining the user’s personal data as well as reconfiguring browser settings in Safari.
Access to Yingmob’s control panel reveals that of the company’s 200 applications around 50 of these are deemed as malicious.
CheckPoint have reported the spread of this current infection to include some 1.6 million Chinese devices, 1.4 million in India and over 285,000 in the US. The UK and Australia are thought to have less than 100,000 devices affected.
The research further states that approximately a half of the infected users are running the KitKat OS with another 40 per cent using Lollipop.
For more information Download the report “From HummingBad to Worse” published by CheckPoint security.
Written by: Steven Boyd
Twitter: @CybrViews
[adrotate banner=”9″]
(Security Affairs –Yingmob, cybercrime)
Hackers breached Texas DOT (TxDOT), stealing 300,000 crash reports with personal data from its Crash…
SAP fixed a critical NetWeaver flaw that let attackers bypass authorization and escalate privileges. Patch…
U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds RoundCube Webmail and Erlang Erlang/OTP SSH server flaws…
Mirai botnets are exploiting CVE-2025-24016, a critical remote code execution flaw in Wazuh servers, Akamai…
China-linked threat actor targeted over 70 global organizations, including governments and media, in cyber-espionage attacks…
US seeks to seize $7.74M in crypto linked to North Korean fake IT worker schemes,…
This website uses cookies.