Earlier this month, security researchers have discovered that a Chinese malware called HummingBad has infected around 10 million Android devices worldwide.
The Israeli cybersecurity company Check Point has published a report on their blog about the newly Android security issue. According to the BGR, the report explains that the malware is being run by a Chinese group called YingMob.
The Chinese hackers are leveraging the malware in order to install fraudulent apps that generate ad revenue. Check Point noted that the group seems to be highly organized. They have a total of 25 employees compartmented into four separate groups that developed the HummingBad's components.
It is estimated that the revenue obtained by the group from their malicious software reaches around $300,000 per month. According to the report, the most affected Android devices are located in India and China.
HummingBad malware works as a "drive-by download attack" and it is pushed down to an Android device when users visit adult-oriented websites and other malicious sites. The malware uses a multi-stage, sophisticated attack chain that includes two main components.
While the first component uses a root kit that exploits multiple vulnerabilities in order to gain root access on a device, a second component uses a fake system update notification, if rooting fails. The update notification aims to trick users into granting system-level permissions to HummingBad.
Once it gains access to an Android device, the malware downloads as many fraudulent apps as possible. The malicious apps contain a mix of several malicious components.
Once it is installed, the HummingBad malware open ad banners on user devices. The "close" button on the popped ad banners in reality registers as a click on the ad.
According to Fortune, Dan Wiley, Check Point's head of incident response, explained that the HummingBad malware could easily turn into a botnet that could do more malicious damage than just to serve fraudulent ads. He said that the malicious software could be easily used to spay on people's activities, wage denial of service attacks against companies or steal data from its targets.