Triple Threat: Chinese Ad Company’s Malware Raises Ad Fraud, Cybersecurity & Privacy Concerns

What’s New?

Cybersecurity company Check Point recently released a report finding that HummingBad—a known malware that takes over Android devices, generates fraudulent advertising revenue, and installs apps on the infected phones—was developed and is controlled by a group of cybercriminals within Yingmob, an otherwise legitimate advertising analytics business based in Beijing. 

Check Point’s investigation found that the HummingBad campaign runs alongside Yingmob’s legitimate business, sharing technology and resources. According to Check Point, Yingmob has several teams developing legitimate tracking and ad platforms, but also has a team responsible for developing malware such as HummingBad. The group tries to infect thousands of new devices daily. It is estimated that the organization now controls tens of millions of Android devices mostly within China and India; however, there are several hundred thousand infected devices in the United States.

What You Need to Know

What is advertising fraud?
Ad fraud involves falsely reported impressions, clicks, data events, and other advertising actions to criminally earn money, or for other deceptive purposes, such as to skew ad campaign performances and deceive businesses or the public in general. (Ad fraud to earn money is more prevalent.) A WFA report on ad fraud projects the total cost of ad fraud in 2016 as $7.2 billion or 5% of the total digital market. Based on a conservative estimate, ad fraud is likely to cost advertisers $50 billion in the year 2025. Ad fraud causes damage to marketing effectiveness, to the business, and to taxpayers and national economies. The WFA report cites a Deloitte study that says for every $1 lost to ad fraud and ad inefficiency, the business loses up to $6 more.

What problems are raised by advertising fraud?
Ad fraud is perpetuated by marketing and criminal adversaries. These marketing perpetuators include highly skilled marketing technologists who can operate an ad fraud campaign at a large-scale; they also include illegitimate ad networks that knowingly participate in the fraud by acting as an intermediary. The criminal perpetuators include common cybercriminals and organized crime. Worse yet, it has been reported that this activity could result in money funding terrorist groups. According to the same WFA report, ad fraud could be second only to the cocaine and opiate markets as a form of organized crime.

With HummingBad, in particular, it is estimated that the malware installs more than 50,000 fraudulent apps per day which, in turn, display more than 20 million advertisements per day. Yingmob achieves a high click rate of 12.5% using the following described illegitimate methods: gaining access to devices and forcing devices to download apps and additional malicious components that trigger the advertising components used by the apps). These result in over 2.5 million clicks per day, which translate to about $10,000 per day or $300,000 per month in fraudulent revenue.

In addition to ad fraud issues, Yingmob’s control over these Android devices raise serious cybersecurity and privacy issues. Yingmob has the ability to carry out targeted attacks on businesses or government agencies, and even sell access to other cybercriminals on the black market. As a result, personal, proprietary, confidential, and sensitive data contained in these devices are at serious risk.
 
What can be done to address advertising fraud?
We recommend that companies take the following steps to address HummingBad and similar threats:

• Educate users about malware, ransomware, phishing, and related online social engineering issues;
• Develop in-house expertise—at least one designated resource—to support vendor selection and decision-making over ad partnerships because overreliance on outside third parties is not advisable in this area;
• Set better standards for buying ads, and avoid blindly buying ads across millions of sites, because this is one sure way of allocating money to ad fraud;
• Partner with cybersecurity companies that have a track record of systematically reducing exposure to ad fraud and similar problems; and
• Review advertising contracts and incorporate provisions against ad fraud, e.g. vendor contract liability (in the form of penalties for misallocating spend to ad fraud), return of commissions/fees from ad campaigns subject to ad fraud, full disclosure of website referrers pertaining to ad investments above a certain level.