Millions of Android Devices Were Infected by a Chinese Advertising Firm

Hummingbirds Of Costa Rica
MONTEVERDE, COSTA RICA - JANUARY 07: A Green Violetear is pictured at a Hummingbird feeding station on January 07, 2016 in Monteverde Costa Rica. Of the 338 known species of Hummingbird worldwide there are around 50 in Costa Rica. Hummingbirds are named for the distinctive sound made by their tiny beating wings, and are admired for their vibrantly coloured iridescent plumage. Their ability to hover, with wings beating between 12 and 90 times a second, and to fly backwards makes them different from all other birds. They are some of the smallest birds in the world and have the highest metabolic rate of any bird with a heart rate that can exceed 1,200 beats a minute. They can hear and see better than humans, but have a poor sense of smell. Hummingbirds eat at least half their body weight in food every day, darting between flowers to lap up nectar. They are generally solitary, very territorial and can be incredibly aggressive towards other birds. At night they go into a state of torpor to help conserve energy, and occasionally can be found sleeping upside down like bats on branches. (Photo by Dan Kitwood/Getty Images)
Dan Kitwood—Getty Images

In case you needed a reminder that hacking is big business: a group of cybercriminals operating as part of a Chinese advertising firm, has been running a malicious ad racket that rakes in roughly $300,000 monthly, according to Check Point, an Israeli cybersecurity company.

The researchers who exposed the alleged scam found that apps from Yingmob, the Chinese ad firm, were installed on nearly 85 million mobile devices running Google’s (GOOG) Android operating system. Of those, nearly 10 million were found to be running malicious software developed by the firm to display ads, generate illegitimate clicks, download fraudulent apps, and make money.

Get Data Sheet, Fortune’s technology newsletter.

“It would just take a flip of the switch, and this could turn into a botnet that could do more nefarious things than serve advertisements,” Dan Wiley, Check Point’s (CHKP) head of incident response, said on a call with Fortune.

The malicious software, he said, could easily be used to steal data from its targets, wage denial of service attacks against companies, or spy on people’s activities. He said that the group could turn all of Yingmob’s apps (200, of which 50 were deemed malicious) into malware with a simple update, and then sell access to those tens of millions of compromised machines to the highest bidder who would then have free range to do as he or she pleased.

The malware worked by installing a bundle of software known as a rootkit that gives computer crackers total control over infected devices, letting them engage in ad fraud. The campaign, dubbed “HummingBad” by the researchers, allowed the group to discreetly display a total of 20 million ads, generate 2.5 million clicks, and download 50,000 apps on the compromised machines per day, earning them about $10,000 daily.

Infected devices were mostly in China (1.6 million) and India (1.4 million). The Philippines and Indonesia represented half a million infected devices each, while the United States accounted for about 287,000 and Russia 208,000, among other countries.

Yingmob offers apparently legitimate advertising analytics services as part of its business as well.

For more on Android security, watch:

Check Point began investigating the ad fraud campaign in February after first detecting the malware on devices of a corporate customer, involving two people “at a large financial services institution.” After five months of digging, the company Friday published its report that exposed the group’s methods, which ranged from its hacking methods (drive-by-download attacks, which infect the machines of website visitors, that targeted adult sites as well as fake system update notifications that tricked people into installing and authorizing malware on their devices) down to its organizational structure and office floor plan (a 4-group, 25-person division at Yingmob called “development team for overseas platform” based in Level 5, Xingdu Plaza, 73 Beiqu Rd., Yuzhong, Chongqing, China).

Palo Alto Networks (PANW), a U.S. cybersecurity company, last fall identified Yingmob as the attacker behind what it named “YiSpector,” another malware-cum-ad fraud campaign targeting Apple’s (AAPL) iOS operating system. The two campaigns shared the same computing infrastructure and enterprise installation certificates to help pull off the attacks, among other tip-offs noted by Check Point.

Wiley said he expects that the gang will regroup and refine their attacks. “Most of these apps they’ll consider burned,” he said. “They’ll start creating new apps, new certificates, and infrastructure, that’s my guess.”

A Google (GOOGL) spokesperson told Fortune in an email that the company has “long been aware of this evolving family of malware and we’re constantly improving our systems that detect it. We actively block installations of infected apps to keep users and their information safe.”

Yingmob did not respond to Fortune’s request for comment.