In case you needed a reminder that hacking is big business: a group of cybercriminals operating as part of a Chinese advertising firm, has been running a malicious ad racket that rakes in roughly $300,000 monthly, according to Check Point, an Israeli cybersecurity company.
The researchers who exposed the alleged scam found that apps from Yingmob, the Chinese ad firm, were installed on nearly 85 million mobile devices running Google’s (GOOG) Android operating system. Of those, nearly 10 million were found to be running malicious software developed by the firm to display ads, generate illegitimate clicks, download fraudulent apps, and make money.
Get Data Sheet, Fortune’s technology newsletter.
“It would just take a flip of the switch, and this could turn into a botnet that could do more nefarious things than serve advertisements,” Dan Wiley, Check Point’s (CHKP) head of incident response, said on a call with Fortune.
The malicious software, he said, could easily be used to steal data from its targets, wage denial of service attacks against companies, or spy on people’s activities. He said that the group could turn all of Yingmob’s apps (200, of which 50 were deemed malicious) into malware with a simple update, and then sell access to those tens of millions of compromised machines to the highest bidder who would then have free range to do as he or she pleased.
The malware worked by installing a bundle of software known as a rootkit that gives computer crackers total control over infected devices, letting them engage in ad fraud. The campaign, dubbed “HummingBad” by the researchers, allowed the group to discreetly display a total of 20 million ads, generate 2.5 million clicks, and download 50,000 apps on the compromised machines per day, earning them about $10,000 daily.
Infected devices were mostly in China (1.6 million) and India (1.4 million). The Philippines and Indonesia represented half a million infected devices each, while the United States accounted for about 287,000 and Russia 208,000, among other countries.
Yingmob offers apparently legitimate advertising analytics services as part of its business as well.
For more on Android security, watch:
Check Point began investigating the ad fraud campaign in February after first detecting the malware on devices of a corporate customer, involving two people “at a large financial services institution.” After five months of digging, the company Friday published its report that exposed the group’s methods, which ranged from its hacking methods (drive-by-download attacks, which infect the machines of website visitors, that targeted adult sites as well as fake system update notifications that tricked people into installing and authorizing malware on their devices) down to its organizational structure and office floor plan (a 4-group, 25-person division at Yingmob called “development team for overseas platform” based in Level 5, Xingdu Plaza, 73 Beiqu Rd., Yuzhong, Chongqing, China).
Palo Alto Networks (PANW), a U.S. cybersecurity company, last fall identified Yingmob as the attacker behind what it named “YiSpector,” another malware-cum-ad fraud campaign targeting Apple’s (AAPL) iOS operating system. The two campaigns shared the same computing infrastructure and enterprise installation certificates to help pull off the attacks, among other tip-offs noted by Check Point.
Wiley said he expects that the gang will regroup and refine their attacks. “Most of these apps they’ll consider burned,” he said. “They’ll start creating new apps, new certificates, and infrastructure, that’s my guess.”
A Google (GOOGL) spokesperson told Fortune in an email that the company has “long been aware of this evolving family of malware and we’re constantly improving our systems that detect it. We actively block installations of infected apps to keep users and their information safe.”
Yingmob did not respond to Fortune’s request for comment.