At least 10 million Android devices have been infected by malware called HummingBad, according to cybersecurity software maker Check Point.
Check Point, which has been tracking the malware since it was discovered in February, has released an analysis of the threat. For months, the number of infections were steady but they spiked sharply in mid-May.
What makes HummingBad particularly interesting is the group behind it, which according to Check Point is a team of developers at Yingmob, an otherwise legitimate, multimillion-dollar advertising analytics agency based in Beijing.
"Yingmob has several teams developing legitimate tracking and ad platforms," Israel-based Check Point said in the analysis released Friday. "The team responsible for developing the malicious components is the 'Development Team for Overseas Platform' which includes four groups with a total of 25 employees."
HummingBad began as a "drive-by download attack," in which phones were infected when people visited websites.
"The first component attempts to gain root access on a device with...rootkit [software] that exploits multiple vulnerabilities. If successful, attackers gain full access to a device," Check Point said. "If rooting fails, a second component uses a fake system update notification, tricking users into granting HummingBad system-level permissions."
This access is used to generate fraudulent advertising revenue -- apparently up to $300,000 per month -- through the forced downloading of apps and clicking of ads.
But it's not just fake ad revenue at stake here because the group is able to sell access to phones and give away information held on them, Check Point said. The security company estimates that over 85 million smartphones have the group's apps installed, though only a small percent include the malicious software.
Check Point isn't the only one tracking Yingmob though, with a Google spokesperson saying the company has "long been aware of this evolving family of malware and we're constantly improving our systems that detect it.
We actively block installations of infected apps to keep users and their information safe."
The bulk of victims are in China and India, with 1.6 million and 1.35 million cases respectively. The Philippines, Indonesia and Turkey are toward the top of the list, too. The US has 288,800 infected devices. The UK and Australia each have fewer than 100,000 devices affected.
"Yingmob may be the first group to have its high degree of organization and financial self-sufficiency exposed to the public, but it certainly won't be the last," Check Point said.
Malware has done considerable damage to mobile platforms over the past year. Apple, previously known for being virus and malware-proof, has been hit by multiple attacks, including some perpetrated by the same group behind HummingBad, according to Check Point.
Yingmob did not immediately responded to a request for comment.
Update, 11:43 a.m. AEST: Added comment from Google.