A strain of of Android malware has infected 85 million victims across the globe, generating at least $300,000 every month for the gang behind it, thanks to millions of pop-up adverts and app downloads.
On top of that, experts have warned that the spread of the malicious HummingBad software could be used to do even worse damage by stealing victims' data.
The mobile malware has been analysed by security researchers at Check Point after it was found on Android devices belonging to two employees at "a large financial institution". In-depth findings on the malware are laid out in the company's 'From HummingBad to Worse' report. The gang behind the malware -- thought to be located in China -- are estimated to generate around $1m every quarter from fraudulent ad revenue and the installation of bogus apps.
Initially discovered in February, HummingBad infects Android devices via two methods: drive-by downloads and malicious payloads delivered by websites distributing adult content.
Once the attack is underway, HummingBad attempts to gain root access to the device using a rootkit, which if successful gives attackers full access to the infected phone. If that attack method fails, Hummingbad will also use a fake system update notification to trick users into giving it access to the entire Android system.
No matter which method of attack is used, a successful installation of HummingBad will see it install as many fraudulent apps on the infected device as possible, which is how the scheme generates revenue.
Researchers suggest that a total of 85 million Android devices across the globe have been infected in this way, with victims in China, India, the Phillipines, and Indonesia accounting for over half of those successfully targeted.
It's estimated that 10 million victims are unwittingly using malicious apps, which in total deliver over 20 million advertisements a day, resulting in 2.5 million clicks every 24 hours. Engagement with these pop-up ads deliver around $10,000 per day, totalling about $300,000 each month.