For five months, Check Point mobile threat researchers had unprecedented access to the inner-workings of Yingmob, a group of Chinese cyber criminals behind the HummingBad malware campaign. HummingBad is a malware Check Point discovered in February 2016 that establishes a persistent rootkit on Android devices, generates fraudulent ad revenue, and installs additional fraudulent apps.

Yingmob runs alongside a legitimate Chinese advertising analytics company, sharing its resources and technology. The group is highly organized with 25 employees that staff four separate groups responsible for developing HummingBad’s malicious components.

Download our report “From HummingBad to Worse” to learn more about the research team’s findings.

Other research firms have associated Yingmob with an iOS malware called Yispecter, but the evidence Check Point researchers found confirms the same group is also behind HummingBad:

  • Yispecter uses Yingmob’s enterprise certificates to install itself on devices
  • HummingBad and Yispecter share C&C server addresses
  • HummingBad repositories contain QVOD documentation, an iOS porn player targeted by Yispecter
  • Both install fraudulent apps to gain revenue



Figure 1: Number of HummingBad instances seen in the wild


Yingmob uses HummingBad to control 10 million devices globally and generate $300,000 per month in fraudulent ad revenue. This steady stream of cash, coupled with a focused organizational structure, proves cyber criminals can easily become financially self-sufficient.

Emboldened by this independence, Yingmob and groups like it can focus on honing their skill sets to take malware campaigns in entirely new directions, a trend Check Point researchers believe will escalate. For example, groups can pool device resources to create powerful botnets, they can create databases of devices to conduct highly-targeted attacks, or they can build new streams of revenue by selling access to devices under their control to the highest bidder.

Without the ability to detect and stop suspicious behavior, these millions of Android devices and the data on them remain exposed.

Learn more about Check Point Mobile Threat Prevention, the solution that first discovered the HummingBad malware. Schedule a demo today.

  1. Can you please explain what ‘unprecedented access’ means ? Did you talk with them ? Or did you simply hack them ?

  2. And how is it that you guys came to have access to Yingmob’s Umeng account and dashboard? It seems like the kind of info mentioned in the report in Yingmob’s Umeng account would require one to login to Yingmob’s account. Did Umeng or Yingmob just give up access to that dashboard? Or is that information actually all public?

  3. Frank at Work says:

    the fraud base is the in-place advertisement platform and regulations. As before with dialers, telephone gaming subscriptions and other forms of unwanted advertisement and service delivery, the regulation authority or service platform provider might stop this for good by introducing a cool down time to the order process and additional confirmation of order. If the user could step back from an unwanted order, the fraud would have no base. Electronic payment and automatic orders through mobile or data provider should always be forced to have an independent confirmation (email, SMS) before the order can take place. Banks should limit the amount of money transfers to avoid transfer fraud. Bitcoin and co should not take approvals….

  4. i like this latest version which is very much amazing and these features are really lovable and thus i got more information which is very much attractive and beautiful.

Comments are closed.