An Android malware named HummingBad has been netting its creators more than $10,000 per day, an extensive report made by security firm Check Point says that approximately 85 million devices are infected with the virus.
HummingBad is a malware that has been going around for some months now, but only recently was its main purpose revealed: to make its creators’ thousands of dollars. The virus tries to install fraudulent apps into the user’s smartphones to collect money from ads. According to Check Pont’s report, the malware generates more than $300,000 per month in fraudulent ad revenue.
The virus was first discovered by Check Point’s analysts back in February 2016. The malware establishes a connection with a remote server by installing a persistent rootkit on Android devices, the team concluded. The virus will then download fraudulent apps, generating income for the hackers.
Check Point’s research claims that the malware has affected more than 85 million devices, the malware includes a routine that attempts to root thousands of Android devices in a daily basis. The report states:
With these devices, a group can create a botnet, carry out targeted attacks on businesses or government agencies, and even sell the access to other cybercriminals on the black market. Any data on these devices is at risk, including enterprise data on those devices that serve dual personal and work purposes for end users.
However, as surprising as it sounds this malware is not being developed by a group of shady anonymous hackers, instead, HummingBad is the invention of a Chinese mobile ad server company called ‘Yingmob’. The research made by Check Point even includes the company’s physical address. Check Point noted:
The team responsible for developing the malicious components is the “Development Team for Overseas Platform” which includes four groups with a total of 25 employees. This team sits in Level 5, Xingdu Plaza, 73 Beiqu Rd., Yuzhong, Chongqing, China.
The most affected versions of Android are KitKat and JellyBean, which together accounts for 90% of the infections. Yingmob’s malware features a unique vector to acquire revenue, as the money is coming from ad revenue. The Chinese company gets $0.00125 for every click made inside one of the fraudulent apps, downloads account for $0.15. Small numbers indeed, but since the malware has found itself hosted in more than 85 million devices, the revenues have become quite large.
It has come to our attention a new report from Lookout, a cyber security firm. According to Lookout HummingBad is just another denomination for Shedun, a malware they claim to have discovered back in November of 2015.
We have observed a recent spike in Shedun detections on Lookout’s mobile threat network. We believe this is attributable to the authors building new functionality or distributing the malware in new ways.
The malware, known as HummingBad also goes by the name of Shedun, Hummer, ANDROIDOS_LIBSKIN or right_core. According to Lookout’s data, Shedun detections spike over 300% in march, and further spike over 600% in the past month.