Shedun
malware reportedly installs more than 50,000 malicious applications every day.
Cybercriminals working
in tandem with a Chinese mobile advertising firm have turned to malware
distribution as a profitable way to make money, according to research from
cybersecurity researchers at Checkpoint.
After investigating a surge in a strain of malware called HummingBad, analysts claim
that a 25-strong team of people working for a firm called Yingmob are
responsible for infecting roughly 10 million Android devices with malicious
software as part of a "click-fraud" scheme.
The malware, which takes
root in the victim's device, allows the firm to inject advertising to earn
additional income. Checkpoint claim it can also install promoted apps on infected
phones and create fraudulent statistics on the Google Play Store.
In
total, an in-depth report alleges, the malware installs more
than 50,000 malicious applications on compromised phones every day, displays 20
million malicious advertisements and brings in roughly $300,000 per month in
revenue.
HummingBad,
which is also known as
Shedun, works by using "drive-by-downloads" meaning it can
compromise a device by directing the target to an infected website. Its code is
encrypted and it is persistent, attempting to use "multiple exploits"
until it finds a route in.
It
spreads largely by exploiting vulnerabilities in older versions of the Android
OS, according to Checkpoint. Most of the infections are in China (1.6 million),
India (1.35 million) and the US (287,000).
"The
HummingBad campaign runs alongside a legitimate advertising analytics business,
sharing their technology and resources, enabling it to control tens of millions
of Android devices," the report states.
"Financial
gain is just the tip of the iceberg. The group tries to root thousands of
devices every day and is successful in hundreds of attempts. With these
devices, a group can create a botnet, carry out targeted attacks on businesses
or government agencies, and even sell the access to other cybercriminals on the
black market."
The researchers linked Yingmob to a
separate form of malware called YiSpecter which targets Apple's iOS. Based on
the fact that both HummingBad and YiSpecter use Yingmob certificates to install
on devices, share command and control (C&C) servers and both use fraudulent
apps to generate revenue – it is likely the Chinese developers are culpable for
both strains.
Checkpoint
analysed the HummingBad code and found it sends notifications to a tracking and
analytics service called Umeng – which the cybercriminals use to manage the
campaign.
"The
[Umeng] control panel registers almost 200 apps," Checkpoint stated.
"[We] suspect about 25% of these apps are malicious. All combined, the
campaign includes nearly 85 million devices." It found the most widely
infected Android versions are KitKat (50%) and Jelly Bean (40%).
"While
profit is powerful motivation for any attacker, Yingmob's apparent
self-sufficiency and organisational structure make it well-positioned to expand
into new business ventures, including 'productising' the access to the 85
million Android devices it controls," Checkpoint warned.
"This
alone would attract a whole new audience –and a new stream of revenue – for
Yingmob. Quick, easy access to sensitive data on mobile devices connected to
enterprises and government agencies around the globe is extremely attractive to
cybercriminals and hacktivists."
In a statement to Fortune, a Google
spokesperson said:
"We've long been aware of this evolving family of malware and we're
constantly improving our systems that detect it. We actively block
installations of infected apps to keep users and their information safe."
Security expert Graham Cluley said:
"While HummingBad is currently being used for ad click fraud there is a
danger that it could be used for other, more malicious attacks in future.
"Keeping
your version of Android up-to-date with the latest security patches helps to
make it harder for the criminals to get a foothold on your device, as does not
installing apps from anywhere other than the official Google Play store."
Representative
Image
Source: IBT
To get more such news in
feed, like our page ‘Deadly Poligics’
This is dummy text. It is not meant to be read. Accordingly, it is difficult to figure out when to end it. But then, this is dummy text. It is not meant to be read. Period.
Related Post
Facebook to let emerging market companies sell through their pages
Facebook Inc is to let small businesses in emerging markets sell to customers for free through th
India extends 25 percent tax on wheat imports - food minister
Workers stand as a crane loads wheat onto a ship at Mundra Port in the western Indian state of 
Modi wants deeper U.S.-India security relationship
Indian Prime Minister Narendra Modi called for
a closer security relationship between his co- Facebook to let emerging market companies sell through their pages
Facebook Inc is to let small businesses in emerging markets sell to customers for free through th
ConversionConversion EmoticonEmoticon