Chinese Advertiser Behind YiSpecter iOS Malware and HummingBad Android Malware

Share this…

Yingmob supposedly controls over 85 million Android devices. A Chinese advertising company is responsible for two of the biggest waves of malware for both the Android and iOS ecosystems, a recent Check Point report reveals.

Yingmob, an advertising company based in Chongqing, China, is supposedly the group behind the YiSpecter iOS malware and the HummingBad Android malware.

Both function in the same way, meaning they infect devices to show ads and secretly install other applications, earning their creators money from pay-per-install programs.

Crooks making over $300,000 each month

Check Point estimates that HummingBad alone delivers over 20 million ads per day that achieve a click rate of 12.5 percent, which is the equivalent of 2.5 million clicks per day. Additionally, HummingBad installs over 50,000 fraudulent apps per day.

Putting all these numbers together, Yingmob earns over $3,000 per day from clicks alone and another $7,500 from fraudulent app installs. That’s around $300,000 each month, or $3.6 million per year.

Check Point researchers say that HummingBad has managed to infect 85 million devices at the moment, and Yingmob has complete control over these smartphones because it illegally rooted them and can push any type of malware or make the devices take any action.

Yingmob has 25 people working on HummingBad

Back in 2015, Palo Alto Networks tied Yingmob to YiSpecter because the iOS malware was signed with Yingmob’s enterprise certificate.

Check Point also discovered that both HummingBad and YiSpecter share the same C&C server addresses, work in the same way, and HummingBad’s code shares some documentation with QVOD, the adult pornography player through which YiSpecter is distributed to its victims.

The security firm even goes as far as to say that Yingmob’s name for the division tasked with developing HummingBad is “Development Team for Overseas Platform,” where Yingmob assigned 25 employees.

Yingmob used 200 apps to spread HummingBad

The Chinese company apparently uses Umeng, a tracking and analytics service, to manage the HummingBad infections. According to Check Point, data from the Umeng account reveals that Yingmob has used almost 200 apps from August 2015 to distribute HummingBad.

Most of the infected users are located in China, India, the Philippines, Indonesia, and Turkey.

Due to the extremely large number of infected devices, over 85 million, Check Point fears that Yingmob could diversify its monetization scheme at any time by providing other groups with access to devices in the network of large enterprises or government agencies around the globe.

Evolution of HummingBad infections

Evolution of HummingBad infections