A group of Chinese cyber criminals known as the Yingmob, are behind the propagation of HummingBad, a malware that establishes a persistent rootkit on Android devices, according to security Check Point Software Technologies, a Calif-based cyber security company.
According to Check Point, which discovered the bug in February, HummingBad began as a “drive-by download attack,” that infected mobile phones where they are used to visit certain Web sites. Once inside a device, the malware generates fraudulent advertising revenue for forcing the device to download apps and click on mobile ads. Each time an ad is clicked, Yingmob get’s paid.
The number of infections was steady at around two million for months, but they suddenly shot up 10 million last month.
Check Point said Yingmob is based in the Chaoyang district of Beijing. The group is a subsidiary of MIG Unmobi Technology Inc., an advertising company that offers pop-up, sidebar, and in-app advertisements.
“Yingmob runs alongside a legitimate Chinese advertising analytics company, sharing its resources and technology,” a post on the Check Point Web site said. “The group is highly organized with 25 employees that staff four separate groups responsible for developing HummingBad’s malicious components.”
Other research firms have associated Yingmob with an iOS malware called Yispecter, but the evidence Check Point researchers found confirms the same group is also behind HummingBad:
- Yispecter uses Yingmob’s enterprise certificates to install itself on devices
- HummingBad and Yispecter share C&C server addresses
- HummingBad repositories contain QVOD documentation, an iOS porn player targeted by Yispecter
- Both install fraudulent apps to gain revenue
The company said HummingBad malware has several interesting aspects.
“First of all, the malware’s malicious components are all encrypted,” said Check Point researchers Andrey Polkovnichenko and Oren Koriat in a recent post. “This makes it much harder for security solutions to detect that it is malware since no malicious code is visible for inspection. Second, the malware initiates a silent attack vector.”
If the silent attack fails, the malware will launch a second attack vector with the same capabilities as the first one.
“This is an interesting course of action for mobile threats because redundancy helps the perpetrator ensure the objective is met. Finally, each attack vector consists of several stages, including decrypting and unpacking the actual malicious codes,” the researchers said.
Malware attacks like HummingBad will only increase in the near future according to the security company.
“For example, groups can pool device resources to create powerful botnets, they can create databases of devices to conduct highly-targeted attacks, or they can build new streams of revenue by selling access to devices under their control to the highest bidder,” said Check Point. “Without the ability to detect and stop suspicious behavior, these millions of Android devices and the data on them remain exposed.”
SAMSUNG GALAXY S8 PLUS
The Samsung Galaxy S8 Plus is a beautifully crafted smartphone with nearly no bezel, curvaceous in design and reflects a…
How to: Connect to Exchange Online Using Multi-Factor Authentication
Using PowerShell to manage your Microsoft cloud services like Exchange Online and using multi-factor authentication (MFA) separately is awesome. Using…