Last week, security firm Check Point disclosed a lot of information about HummingBad, a widely distributed malware toolkit, affecting over 10 million users. The malware is initially downloaded unknowingly through one of 200 apps available in Google Play. Those apps then root the device and download more of the infected apps, which then generate fake advertising clicks.
Since last week, a couple of questions have arisen. The most common question has been about just how widespread the problem is. Our initial numbers, reported last week, were a misrepresentation of the number of devices infected. We reported that 10 million devices were infected, but as it turns out, that was incorrect. In fact, the report states that 10 million users are affected, with many users having several infected devices. The real count comes in at about 85 million unique Android devices infected by this malware.
The primary count exists within China, where the developer and ad network YingMob exist, with 1.6 million users. India follows with 1.35 million and the Philippines with 520,901. The rest of the countries are spelled out below.
The next question we have heard has been about revenue. How much could YingMob possibly make generating fake advertising clicks on infected devices? According to Check Point, the company generates an average of $10,000 per day, which nets $300,000 per month, and $3.6 million annually. This is a lot of money for any organization, let alone a small Chinese advertising company. Profit, however, leads to a third question.
The third question we've been asked, and we discussed on the show last week, is about what's next for the malware. As of right now, the software, that has root access to 85 million devices, is fairly benign. It generates fake ad clicks and downloads additional apps. It could be a whole lot worse. If revenue is the main drive behind YingMob's actions, the next step could generate a lot more revenue. It involved selling root device access for 85 million devices to others.
Once another organization has root access to that many devices, they could do some real damage and mine some serious data. Root access can allow for data scraping from the device, including contacts, app data, etc. It can also continue to install other software, including screen readers and keyloggers. This could give nefarious groups access to email, banking, tax records, etc. Selling this access could generate FAR more than $3.6 million annually for the group.
Will there be more problems ahead because of HummingBad, or will YingMob be content generating revenue with their current methods? We will keep an eye out for any new developments.