How the Mobile Malware Economy is Humming
Got an Android smartphone or tablet? Then there’s a good chance that it could be contributing to the mobile malware economy, as one of the 85 million devices globally infected by HummingBad. This stealthy attack campaign is generating over $300,000 per month for the organization behind it, laying the foundation for further criminal activity. So how did a small company based in China manage to infect so many of the 1.4 billion Android devices worldwide to earn millions per year in fraudulent revenues?
Since early 2016, Check Point mobile threat researchers have had unprecedented, behind-the-scenes access to the criminals behind the attack, studying their activities and analyzing the malware they are using so successfully. What they found was a highly organized group, focused (like any legitimate business) on expansion and revenue growth – and some worrying warning signs indicating how the malware economy could develop.
We first discovered the HummingBad malware in February 2016. Briefly, it establishes a persistent rootkit on Android devices to generate fraudulent mobile advertising revenue, and to install fraudulent apps. We saw a growing number of infections and started tracing the attack campaign’s source. This turned out to be Yingmob, a legitimate Chinese mobile ad server company, which had already been linked to the development of malware targeting Apple iOS devices. The Yingmob team responsible for the malware has 25 employees and operates alongside the legitimate advertising analytics business, sharing their technology and resources.
Analysis of HummingBad’s code revealed that it communicates with Yingmob’s tracking and analytics dashboard from which the attackers manage the campaign, which consists of nearly 200 mobile apps, of which about 25% are malicious. Over several months, HummingBad and related malicious apps have quietly infected 85 million devices, a majority of which are in China, India and Eastern countries, but with significant numbers worldwide. For example, there are nearly 300,000 compromised devices in the USA.
HummingBad takes off
The first infection method the Check Point research team saw was drive-by downloads from a range of infected websites. HummingBad then uses a sophisticated, multi-stage attack chain with two main components. The first attempts to gain root access on a device by exploiting multiple vulnerabilities. If successful, attackers gain full access to a device.
If this fails, a second component uses a fake ‘system update’ notification, tricking users into granting HummingBad system-level permissions. Irrespective of whether rooting is successful, HummingBad downloads fraudulent apps to the device. The infection is persistent and very difficult to remove completely.
Once on a device, HummingBad exploits a full range of paid services, including displaying mobile ads, creating fraudulent clicks from users’ devices, and installing additional fraudulent apps. These illegitimate tactics generate much more revenue for HummingBad developers than playing by the rules. The attackers track the effectiveness of the apps in each category, and modify them to improve their effectiveness. We found that the apps display more than 20 million advertisements per day, and Yingmob achieves over 2.5 million ad clicks per day.
This translates to significant revenues: Yingmob’s average revenue per clicks (RPC) is $0.00125, making accumulated daily revenue from clicks is over $3,000. Added to revenues from fraudulent app downloads, which exceed $7,500 daily, Yingmob makes over $10,000 per day, more than $300,000 a month.
More than just money
The HummingBad campaign truly is a numbers game, but the money it earns is just the tip of the iceberg. The attack roots thousands more Android devices every day, building further on the 85 million that are already compromised. With access to these devices, a self-contained and structured organization like Yingmob can create a botnet, carry out targeted attacks on businesses or government agencies, or lease access to infected devices to other criminal groups, giving it an additional, lucrative revenue stream.
What’s more, any data on these devices is at risk, including enterprise data on BYOD phones and tablets. And without the ability to detect and stop suspicious behaviour, these millions of Android devices and the data on them remain exposed today. With such a proven revenue-generating potential – and the ability to offer access to these infected devices to other parties on a rental basis, we believe that HummingBad is a key example of how the mobile threat landscape will develop over the next couple of years. Organised criminal groups will learn from the example set by Yingmob, and find ways to turn mobile fraud into a lucrative business.
For individual users, the best way to avoid being infected by persistent malware such as HummingBad is to download apps only from Google Play, and to deploy a reputable anti-malware solution on Android devices. For enterprises running BYOD programs, the most effective approach is to deploy security measures on mobile devices that are capable of detecting malicious apps that even attempt to root the device. The solution should be able to inspect and quarantine suspicious apps in the cloud, before they are downloaded on the device. This way, the threat can be neutralized before it can take hold.
One thing is certain, though: the mobile malware economy is starting to hum – and we need to find ways to stop it taking flight.
About the Author
Michael Shaulov is Head of Mobility Product Management at Check Point. He leads product strategy for Check Point’s mobile security solutions including Check Point Mobile Threat Prevention. He is a recognized industry speaker, delivering talks at RSA Conference, BlackHat and Infosec. Prior to his role at Check Point, Michael was the CEO and co-founder of Lacoon Mobile Security, which was acquired by Check Point in April 2015.
Note: More details about HummingBad are available here.
Edited by Peter Bernstein