A Chinese advertising company called Yingmob is responsible for distributing the malware on a massive scale and would appear to be the same firm behind Yispecter iOS malware, cybersecurity company Check Point revealed.
Yingmob, based in Chongqing, China, markets itself as an advertising firm, claiming to provide easy-to-deploy ads support (text, pictures and video ads), without affecting the user experience. The service offers pop-up, sidebar, and in-app ads.
However, Check Point researchers claim that the company's "Development Team for Overseas Platform" is responsible for two of the biggest waves of malware:
HummingBad for Android and Yispecter for iOS.
"Yingmob runs alongside a legitimate Chinese advertising analytics company, sharing its resources and technology." Check Point explained in a blog post. "The group is highly organized with 25 employees that staff four separate groups responsible for developing HummingBad's malicious components."Yispecter iOS malware was discovered by California-based network security firm Palo Alto Networks late last year, that targets jail-broken as well as non-jailbroken iOS devices.
On the other side, HummingBad targets Android devices, allowing the injection of advertisements into victim's devices, which when clicked, Yingmob gets paid.
200 Different Apps are used to Spread HummingBad
Check Point notes that HummingBad establishes a persistent rootkit on infected Android devices to produce fraudulent ad revenue, and installs an additional of over 50,000 fraudulent apps per day to increase revenue for the fraudster.
From August 2015, Yingmob has used nearly 200 different apps to distribute HummingBad Android malware.
HummingBad is distributed by "drive-by-download" method that infects victims with the malware when they visit a malicious site, which then proceed to download malicious apps onto their device.
During their analysis [PDF], Check Point researchers estimated that the Android malware alone delivers over 20 Million ads on a daily basis that achieve approximately 2.5 Million clicks per day. Also, around 10 Million victims are using malicious Android apps developed by Yingmob.
Fraudsters Making Over $3.6 Million Annually
From above statistics, it could be estimated that Yingmob earns more than $3,000 daily from clicks alone and another $7,500 from its fraudulent app installs, making $300,000 each month, or around $3.6 Million per year, from its campaign.
HummingBad has managed to infect 85 Million Android devices worldwide at the moment, that can be remotely commanded by Yingmob to install additional malware or take any action.
While Yispecter primarily targeted users in China and Taiwan, HummingBad's majority of victims resides in China, India, and the Philippines, though hundreds of thousands of victims are in Turkey, the United States, Mexico, and Russia as well.
The major similarity between HummingBad and YiSpecter is that both of them share the same command and control (C&C) server addresses that hackers use to communicate with their infected devices. This suggests that Yingmob is the same firm behind these two pieces of malware.
This is not the first time when any Chinese company has found involved in malicious ads campaign. Just a few months back, Chinese-based ISPs China Telecom and China Unicom, two of Asia's largest network operators, were caught red-handed for injecting ads and malware through their network traffic.