China-Based Hackers Compromise 85 Million Android Devices
The actors behind HummingBad, a malware that drops a persistent rootkit on Android devices, have established a large operation and have over 200 apps under control, 50 of which might be malicious, Check Point researchers reveal.
The rootkit was discovered in February this year as the latest campaign in a series kicked off with the discovery of BrainTest, but also included PushGhost, and Xinyinhe. At the time, researchers explained that the rootkit could cause great damage in the event the attacker decided to change objectives and install key-loggers to capture credentials and even bypass encrypted email containers used by enterprises.
As part of a detailed report on the malware, Check Point researchers say that Yingmob, a group of Chinese cyber criminals that operates alongside a legitimate Chinese advertising analytics company, sharing its resources and technology, is the actor behind the HummingBad rootkit.
The group is said to have 25 employees, some of them being in charge with the development of legitimate tracking and ad platforms. However, one team is responsible for three malicious projects: Eomobi (HummingBad malicious components), Hummer Offers (Ad server analytics platform), and Hummer Launcher (Ad server Android application package). The team has six product lines: Eobomi, Hummer launcher, Root Software Development Kit (SDK), Hummer Offers, MAT, and Unitemobi.
Last week, security researchers at China-based Cheetah Mobile detailed what it called the Hummer Android Trojan, revealing that it might have compromised around 1.2 million devices worldwide, with India being the most affected country at around 154,000 compromised devices. HummingBad and Hummer are from the same malware family, Check Point told SecurityWeek.
According to Check Point, the HummingBad malware has infected 10 million devices worldwide. It affected mostly users in China (1,606,384), India (1,352,772), and the Philippines (520,901), but each of the 20 countries with infected devices has more than 100,000 victims. The malware infected mainly KitKat (50%) and JellyBean (40%) devices, but it targets all Android versions.
Previously, Yingmob was associated with the iOS malware called Yispecter, and Check Point says the group is operating HummingBad too, because the two share C&C server addresses and install fraudulent apps to gain revenue. Moreover, HummingBad repositories contain QVOD documentation, an iOS porn player targeted by Yispecter, and the iOS malware uses Yingmob’s enterprise certificates to install itself on devices.
Now, the Yingmob group, which is believed to have started its activity in August 2015, is said to be controlling widespread operations, with nearly 85 million devices under its control. By analyzing the HummingBad communication patterns, researchers discovered that it sent notifications to tracking and analytics service Umeng, which was used as the control platform for the group’s nefarious operations.
The management panel revealed that the threat actor has almost 200 applications installed on nearly 85 million devices, and Check Point believes that around 25% of these apps are malicious. However, the cybercriminals don’t seem to be abusing all of these devices, researchers say.
HummingBad was created mainly for ad revenue and for distributing fraudulent applications: once installed on a targeted device, it seeks root access, after which it connects to the command and control (C&C) server and starts its nefarious activities. The 10 million devices infected with HummingBad are believed to generate $300,000 per month in fraudulent ad revenue.
The apps in the HummingBad campaign display more than 20 million advertisements per day, and the group that operates the malware achieves a high click rate of 12.5% with illegitimate methods, which translates into over 2.5 million clicks per day. At an average revenue per clicks (RPC) of $0.00125, the group’s accumulated revenue from clicks per day reaches more than $3,000.
Moreover, the researchers say that HummingBad installs over 50,000 fraudulent apps per day, which, at a rate for each fraudulent app of $0.15, results in financial gains of over $7,500 per day. Overall, that amounts to over $10,000 per day, or $300,000 per month. Cheetah Mobile researchers, who priced each fraudulent app installation at $0.50, suggested that crooks made $500,000 daily (at a rate of 1 million installs).
Apparently, the group is also actively working on expanding its foothold by attempting to root thousands of devices every day, although it is successful only in hundreds of attempts. What’s worrying is that the data on these devices is put at risk, and that all infected devices can be abused to create a botnet, which can then be used in targeted attacks on businesses or government agencies. Yingmob can even sell the access to the botnet to other cybercriminals on the black market.
“While profit is powerful motivation for any attacker, Yingmob’s apparent self-sufficiency and organizational structure make it well-positioned to expand into new business ventures, including productizing the access to the 85 million Android devices it controls. This alone would attract a whole new audience – and a new stream of revenue – for Yingmob. Quick, easy access to sensitive data on mobile devices connected to enterprises and government agencies around the globe is extremely attractive to cybercriminals and hacktivists,” researchers say.
A couple of weeks ago, a piece of Android malware called "Godless" was found to leverage multiple rooting exploits to target all Android 5.0 and earlier devices, meaning that nearly 90 percent of Android devices are at risk. Although Android 6.0 handsets aren’t targeted by HummingBad or Godless, other Trojans did manage to exploit the permission-granting model in this OS version to ensure persistency.