Cybercriminals working in tandem with a Chinese mobile advertising firm have turned to malware distribution as a profitable way to make money, according to research from cybersecurity researchers at Checkpoint.
After investigating a surge in a strain of malware called HummingBad, analysts claim that a 25-strong team of people working for a firm called Yingmob are responsible for infecting roughly 10 million Android devices with malicious software as part of a "click-fraud" scheme.
The malware, which takes root in the victim's device, allows the firm to inject advertising to earn additional income. Checkpoint claim it can also install promoted apps on infected phones and create fraudulent statistics on the Google Play Store.
In total, an in-depth report alleges, the malware installs more than 50,000 malicious applications on compromised phones every day, displays 20 million malicious advertisements and brings in roughly $300,000 per month in revenue.
HummingBad, which is also known as Shedun, works by using "drive-by-downloads" meaning it can compromise a device by directing the target to an infected website. Its code is encrypted and it is persistent, attempting to use "multiple exploits" until it finds a route in.
It spreads largely by exploiting vulnerabilities in older versions of the Android OS, according to Checkpoint. Most of the infections are in China (1.6 million), India (1.35 million) and the US (287,000).
"The HummingBad campaign runs alongside a legitimate advertising analytics business, sharing their technology and resources, enabling it to control tens of millions of Android devices," the report states.
"Financial gain is just the tip of the iceberg. The group tries to root thousands of devices every day and is successful in hundreds of attempts. With these devices, a group can create a botnet, carry out targeted attacks on businesses or government agencies, and even sell the access to other cybercriminals on the black market."
The researchers linked Yingmob to a separate form of malware called YiSpecter which targets Apple's iOS. Based on the fact that both HummingBad and YiSpecter use Yingmob certificates to install on devices, share command and control (C&C) servers and both use fraudulent apps to generate revenue – it is likely the Chinese developers are culpable for both strains.
Checkpoint analysed the HummingBad code and found it sends notifications to a tracking and analytics service called Umeng – which the cybercriminals use to manage the campaign.
"The [Umeng] control panel registers almost 200 apps," Checkpoint stated. "[We] suspect about 25% of these apps are malicious. All combined, the campaign includes nearly 85 million devices." It found the most widely infected Android versions are KitKat (50%) and Jelly Bean (40%).
"While profit is powerful motivation for any attacker, Yingmob's apparent self-sufficiency and organisational structure make it well-positioned to expand into new business ventures, including 'productising' the access to the 85 million Android devices it controls," Checkpoint warned.
"This alone would attract a whole new audience –and a new stream of revenue – for Yingmob. Quick, easy access to sensitive data on mobile devices connected to enterprises and government agencies around the globe is extremely attractive to cybercriminals and hacktivists."
In a statement to Fortune, a Google spokesperson said: "We've long been aware of this evolving family of malware and we're constantly improving our systems that detect it. We actively block installations of infected apps to keep users and their information safe."
Security expert Graham Cluley said: "While HummingBad is currently being used for ad click fraud there is a danger that it could be used for other, more malicious attacks in future.
"Keeping your version of Android up-to-date with the latest security patches helps to make it harder for the criminals to get a foothold on your device, as does not installing apps from anywhere other than the official Google Play store."