A new, unknown mobile malware that targeted two customer Android devices belonging to employees at a large financial services institution was detected by Check Point Mobile Threat Prevention in February this year.
Called HummingBad, this malware establishes a persistent rootkit with the objective to generate fraudulent ad revenue for its perpetrator, HummingBad installs fraudulent apps to increase the revenue stream for the fraudster.
HummingBad infects primarily through “drive-by download,” or by installing itself on devices that visit infected webpages and sites. Its code, which is obfuscated by encryption, attempts to install itself on a given device persistently by multiple means.
HummingBad probably is the product of Chinese cyber criminals that is working alongside multimillion-dollar Beijing analytics company Yingmob.
Yingmob uses HummingBad to control 10 million devices globally and generate $300,000 per month in fraudulent ad revenue. This steady stream of cash, coupled with a focused organizational structure, proves cyber criminals can easily become financially self-sufficient.
Emboldened by this independence, Yingmob and groups like it can focus on honing their skill sets to take malware campaigns in entirely new directions, a trend Check Point researchers believe will escalate. For example, groups can pool device resources to create powerful botnets, they can create databases of devices to conduct highly-targeted attacks, or they can build new streams of revenue by selling access to devices under their control to the highest bidder.
Without the ability to detect and stop suspicious behavior, these millions of Android devices and the data on them remain exposed.
Source: Check Point blog