Connect with us

Hi, what are you looking for?



Android Malware Gang Makes $10,000 a Day: Report

China-Based Hackers Compromise 85 Million Android Devices

China-Based Hackers Compromise 85 Million Android Devices

The actors behind HummingBad, a malware that drops a persistent rootkit on Android devices, have established a large operation and have over 200 apps under control, 50 of which might be malicious, Check Point researchers reveal.

The rootkit was discovered in February this year as the latest campaign in a series kicked off with the discovery of BrainTest, but also included PushGhost, and Xinyinhe. At the time, researchers explained that the rootkit could cause great damage in the event the attacker decided to change objectives and install key-loggers to capture credentials and even bypass encrypted email containers used by enterprises.

As part of a detailed report on the malware, Check Point researchers say that Yingmob, a group of Chinese cyber criminals that operates alongside a legitimate Chinese advertising analytics company, sharing its resources and technology, is the actor behind the HummingBad rootkit.

The group is said to have 25 employees, some of them being in charge with the development of legitimate tracking and ad platforms. However, one team is responsible for three malicious projects: Eomobi (HummingBad malicious components), Hummer Offers (Ad server analytics platform), and Hummer Launcher (Ad server Android application package). The team has six product lines: Eobomi, Hummer launcher, Root Software Development Kit (SDK), Hummer Offers, MAT, and Unitemobi.

Last week, security researchers at China-based Cheetah Mobile detailed what it called the Hummer Android Trojan, revealing that it might have compromised around 1.2 million devices worldwide, with India being the most affected country at around 154,000 compromised devices. HummingBad and Hummer are from the same malware family, Check Point told SecurityWeek.

According to Check Point, the HummingBad malware has infected 10 million devices worldwide. It affected mostly users in China (1,606,384), India (1,352,772), and the Philippines (520,901), but each of the 20 countries with infected devices has more than 100,000 victims. The malware infected mainly KitKat (50%) and JellyBean (40%) devices, but it targets all Android versions.

Previously, Yingmob was associated with the iOS malware called Yispecter, and Check Point says the group is operating HummingBad too, because the two share C&C server addresses and install fraudulent apps to gain revenue. Moreover, HummingBad repositories contain QVOD documentation, an iOS porn player targeted by Yispecter, and the iOS malware uses Yingmob’s enterprise certificates to install itself on devices.

Advertisement. Scroll to continue reading.

Now, the Yingmob group, which is believed to have started its activity in August 2015, is said to be controlling widespread operations, with nearly 85 million devices under its control. By analyzing the HummingBad communication patterns, researchers discovered that it sent notifications to tracking and analytics service Umeng, which was used as the control platform for the group’s nefarious operations.

The management panel revealed that the threat actor has almost 200 applications installed on nearly 85 million devices, and Check Point believes that around 25% of these apps are malicious. However, the cybercriminals don’t seem to be abusing all of these devices, researchers say.

HummingBad was created mainly for ad revenue and for distributing fraudulent applications: once installed on a targeted device, it seeks root access, after which it connects to the command and control (C&C) server and starts its nefarious activities. The 10 million devices infected with HummingBad are believed to generate $300,000 per month in fraudulent ad revenue.

The apps in the HummingBad campaign display more than 20 million advertisements per day, and the group that operates the malware achieves a high click rate of 12.5% with illegitimate methods, which translates into over 2.5 million clicks per day. At an average revenue per clicks (RPC) of $0.00125, the group’s accumulated revenue from clicks per day reaches more than $3,000.

Moreover, the researchers say that HummingBad installs over 50,000 fraudulent apps per day, which, at a rate for each fraudulent app of $0.15, results in financial gains of over $7,500 per day. Overall, that amounts to over $10,000 per day, or $300,000 per month. Cheetah Mobile researchers, who priced each fraudulent app installation at $0.50, suggested that crooks made $500,000 daily (at a rate of 1 million installs).

Apparently, the group is also actively working on expanding its foothold by attempting to root thousands of devices every day, although it is successful only in hundreds of attempts. What’s worrying is that the data on these devices is put at risk, and that all infected devices can be abused to create a botnet, which can then be used in targeted attacks on businesses or government agencies. Yingmob can even sell the access to the botnet to other cybercriminals on the black market.

“While profit is powerful motivation for any attacker, Yingmob’s apparent self-sufficiency and organizational structure make it well-positioned to expand into new business ventures, including productizing the access to the 85 million Android devices it controls. This alone would attract a whole new audience – and a new stream of revenue – for Yingmob. Quick, easy access to sensitive data on mobile devices connected to enterprises and government agencies around the globe is extremely attractive to cybercriminals and hacktivists,” researchers say.

A couple of weeks ago, a piece of Android malware called “Godless” was found to leverage multiple rooting exploits to target all Android 5.0 and earlier devices, meaning that nearly 90 percent of Android devices are at risk. Although Android 6.0 handsets aren’t targeted by HummingBad or Godless, other Trojans did manage to exploit the permission-granting model in this OS version to ensure persistency.

Related: Android Malware Targets Europe via Smishing Campaigns

Written By

Click to comment


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.


SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.


People on the Move

Digital executive protection services provider BlackCloak has appointed Ryan Black as CISO.

Joe Levy has been appointed Sophos' permanent CEO, and Jim Dildine has been named the company's CFO.

CISA executive assistant director for cybersecurity Eric Goldstein is leaving the agency after more than three years.

More People On The Move

Expert Insights

Related Content


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.


Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Artificial Intelligence

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.