Researchers revealed that a new form of malware targeting Android users – known as ‘HummingBad’ – has infected roughly 10 million devices worldwide.
According to a recent report by security firm Check Point, the malware first surfaced in February 2016. Since mid-May, however, the number of instances seen in the wild have increased significantly.
“[The malware] establishes a persistent rootkit on Android devices, generates fraudulent ad revenue, and installs additional fraudulent apps,” explained Check Point.
After an in-depth analysis, researchers uncovered the malware campaign runs alongside a legitimate multimillion-dollar Chinese advertising analytics business – called Yingmob.
The team responsible for developing the malicious components is ‘highly organized,’ said researchers, leveraging the company’s resources and technology, as well as staffing a total of 25 employees.
Cyber criminals behind ‘HummingBad’ have primarily been serving the malware via drive-by download attacks, where unsuspecting users are infected after visiting a malicious webpage or site.
The vast majority of victims reside in China and India, with over 1.6 million and 1.35 million infected devices respectively. The Philippines, Indonesia and Turkey are also among the top 10 targets. Meanwhile, the United States ranks at number eight, with more than 288,000 victims.
“HummingBad uses a sophisticated, multi-stage attack chain with two main components. The first component attempts to gain root access on a device with a rootkit that exploits multiple vulnerabilities. If successful, attackers gain full access to a device. If rooting fails, a second component uses a fake system update notification, tricking users into granting HummingBad system-level permissions,” read the report.
In turn, cyber criminals are currently using this unsolicited access to 10 million Android devices to generate fraudulent ad revenue – an estimated $300,000 per month.
Nonetheless, researchers warned financial gain is just the tip of the iceberg:
“Yingmob and groups like it . . . can pool device resources to create powerful botnets, they can create databases of devices to conduct highly-targeted attacks, or they can build new streams of revenue by selling access to devices under their control to the highest bidder,” said Check Point.