CYBERSECURITY software developer, Check Point, has found that at least 10 million Android devices could be infected with a Chinese malware called HummingBad since it was discovered in February.
In a recent analysis of the threat HummingBad poses, Check Point found that the number of infections shot up suddenly in the middle of May. The malware installs a persistent rootkit – software that enables access to a device that it normally wouldn’t have – and generates up to US$300,000 per months in fake ad revenue, as well as installing additional fake apps.
According to their report, Check Point said that the group behind HummingBad is Yingmob. Yingmob is a legitimate advertising analytics firm in China, but it runs alongside a highly-organized group of cyber criminals that are reportedly responsible for developing HummingBad’s malicious components.
According to the report, titled ‘HummingBad to Worse’, the group is also able to sell access to the devices and distribute the information on them, which is the most worrying part of the infections.
Check Point also found that apps developed by Yingmob have been installed on nearly 85 million devices that run on Google’s Android OS, although only a small percentage include the malware.
Dan Wiley, Check Point’s head of incident response, told Fortune that all it would take for HummingBad to turn into a botnet capable of far more “nefarious” activities than just generating fake ad revenue is “a flip of a switch”.
Yingmob could also potentially turn all 200 of their apps, 50 of which have been deemed malicious, into malware by simply rolling out an update – which would sell access to all 85 million users to “the highest bidder” to do as they please with the data.
Google has also been keeping an eye on the malware. A Google spokesperson told CNet that the company has been aware of HummingBad for a long time and is “constantly improving our systems that detect it”.
Most of the infected devices are located in China (1.6 million) and India (1.35 million), followed by the Philippines, Indonesia, and Turkey. Fifty percent of the victims use the KitKat version of Android from 2013, while 40 percent use the Jelly Bean version from 2012.
The latest Android version is Marshmallow, of which only one percent has been infected, suggesting that newer versions of the OS are more resistant to the malware.