A form of Android malware called Hummingbad has been found to be on over 10 million devices globally, and would appear to be from the same firm that produces the Yispecter iOS malware, a security firm has revealed.

Check Point explained in a blog post that the malware establishes a persistent rootkit on Android devices, generates fraudulent ad revenue, and installs additional fraudulent apps

The malware is believed to come from a Chinese group called Yingmob that apparently operates alongside a legitimate advertising analytics business and shares its resources and technology. The group is said to be highly organized, with 25 employees staffing four separate groups responsible for developing HummingBad’s malicious components.

Hummingbad’s main point of distribution is a “drive-by-download” that targets a victim when they visit a site and then proceed to download a malicious app onto their device.

Once installed on an Android device the malware hijacks advertising shown in other apps and on websites, replacing it with its own advertising. When a user clicks on the replaced advertising Yingmob gets paid, and according to the report, it’s believed they are generating $300,000 a month using this method.

The second aspect is the installation of other apps which the user did not request, a service from which Yingmob also generates revenue.

Given that it provides an open door for the installation of third party apps, infected devices could also potentially be used to create botnets to conduct highly targeted attacks. The fact that they are under control means that access to the phones could be sold to the highest bidder.

Any data on infected devices is naturally also at risk.

iOS malware

Yingmob has been linked to iOS malware called Yispecter that was discovered in October 2015, and is believed to be the first malware that targets jailbroken and non-jailbroken iOS devices alike.

Yispecter can cause infected iPhones to download, install and launch arbitrary iOS apps, replace existing apps with those it downloads, hijack other apps’ execution to display advertisements, change Safari’s default search engine, bookmarks and opened pages, and upload device information to an external server.

Check Point noted that Yispecter uses Yingmob’s enterprise certificates to install itself on devices; Hummingbad and Yispecter share command and control server addresses; Hummingbad repositories contain QVOD documentation, and an iOS porn player targeted by Yispecter, and both install fraudulent apps to gain revenue.

“This steady stream of cash, coupled with a focused organizational structure, proves cyber criminals can easily become financially self-sufficient,” Check Point researchers added.

Hummingbad’s victims are primarily found in China and India, although there are hundreds of thousands of infections in Turkey, the United States, Mexico, and Russia as well.

Image credit: michaelmalz/Flickr/CC by 2.0