A malware program created by a highly organized Chinese hacking collective has gained control of 85 million Android devices, which the group is exploiting to the tune of $300,000 a month. The group, which researchers say is responsible for developing the HummingBad malware campaign, represents a dramatic increase in the organization and capabilities of hacking groups, according to security firm Check Point.

Dubbed Yingmob, the hacking group is also believed to be the brains behind the iOS malware campaign known as Yispecter. The group is highly organized and works alongside a legitimate Chinese advertising analytics company, according to Check Point, which uncovered the connection between Yingmob and HummingBad.

Sustainable Hacking

Check Point first discovered evidence of the HummingBad malware campaign in February. The malware consists of a persistent rootkit, which the hackers install on Android devices. The group then uses that rootkit to generate fraudulent ad revenue and install additional fraudulent apps. Yingmob has 25 employees organized into four different groups who are responsible for developing HummingBad’s malicious components, according to Check Point researchers.

Yingmob’s efforts have paid off. The group has been able to achieve self-sufficiency, proving that hacking groups can now generate enough income from their illegal activities to sustain themselves indefinitely. But financial gain is only the tip of the iceberg, according to the researchers.

The hackers try to root thousands of devices every day, and are able to successfully get its malware installed on devices hundreds of times each day. Yingmob can then use those devices to create a botnet, enabling the group to launch more targeted attacks against businesses and government agencies, or even sell the access it has gained on the black market.

Crime Has Never Paid So Well

All of which is very bad news for Internet security, Check Point said in its "From HummingBad to Worse" report on the group.

"Accessing these devices and their sensitive data creates a new and steady stream of revenue for cybercriminals," the security firm said. "Emboldened by financial and technological independence, their skillsets will advance, putting end users, enterprises, and government agencies at risk."

Despite the amount of work the group has done to develop its malware campaigns, Yingmob also engages in legitimate business activities. The company has several development teams working on legitimate tracking and ad platforms. The team responsible for developing the company’s malware, on the other hand, is dubbed the "Development Team for Overseas Platform."

"One of the interesting aspects of this campaign is the economic impact on users and advertisers," according to Check Point. "Abusing many ad server software development kits (SDKs) and defrauding them for revenue, HummingBad uses the entire spectrum of paid events for its operation, including displaying ads, creating clicks, and installing fraudulent apps. These illegitimate tactics generate more revenue for HummingBad developers than playing by the rules."