Chinas status as malware haven has a risky message for all

那些令人不勝其烦的垃圾信息究竟从何而来？

面对恶意软件，我们又该如何应对？

Its usually a young woman， moving through the subway from person to person. Politely， she asks if commuters would like to sign up to her WeChat account. In this case， she explains its a small fashion boutique which will provide updates on the latest products， chosen herself， as part of her small business aspirations， with the updates sent to their smartphone via her WeChat feed. Most passengers wave her away. While at first glance her entreaty seems harmless enough and the personal nature of the advertising makes it seem friendlier than signing up to a mass-email newsletter， these Beijing commuters are generally wary of unsolicited approaches.

A few may have read headlines that shed light on how the personal touch can sometimes make these accounts shadier than their “official account” counterparts. When the boutique operator gets a new WeChat contact， that persons account information becomes visible and is worth money to advertisers who pay in bulk for WeChat accounts they can spam with offers.

The boutique operator is likely just turning a buck with her clothes， but if she sells those WeChat IDs to third parties， she will， perhaps unwittingly， become yet another face of Chinas electronic spam problem， and all those who signed up to her account could be in for some very risky friend requests.

Spam meets Malware

Most people who buy SIM cards in China have been unfortunate victims of spam—often their contact number was sold to spammers by the SIM card manufacturer or an intermediary long before the SIM card was purchased， thus they are doomed to receive unwanted advertising right from the beginning.

But malware has taken advantage of spams natural， virus-like qualities.

The Conficker Worm is the worlds most common form of malware， according to internet security giant Check Point， but a new creepy-crawly from China recently buzzed into the top ten rankings.

Going by the name Hummingbad， Check Points report indicates it has made its way onto around 85 million devices worldwide， affecting 10 million users （with 1.6 million users in China， 1.3 million in India， and over 286，000 in the US）. Once on a device， it can create fake clicks on Google Play applications to install even more malware. However， as with the most common viruses， the goal is not to cripple the host; Hummingbad wants to spread spam， be it real or just a click mirage. Aside from delivering spam， it also defrauds ad networks （the large companies that pay-per-click to place adverts in apps made by small app developers）. Essentially， Hummingbad tricks these ad network companies into thinking someone has clicked on an advert and thus should pay out the fraction of a cent that is owed. Generate enough fake clicks， and it adds up. Hummingbad is believed to generate around 300，000 USD per month.

Which， of course， raises the question： who is taking that cash？

Check Point lays the blame squarely at the feet of Yingmob， which it says is partly a legitimate advertising firm based in Beijing and partly made up of （possibly semi-autonomous） malware developers based in Chongqing， operating under the umbrella of the “Development Team for Overseas Platform”.

Hummingbad reportedly wasnt Yingmobs first attempt. Other internet security research companies have pointed the finger at Yingmob for creating Yispecter， one of the first pieces of malware able to target non-jail-broken iOS phones in a sophisticated fashion. A jail-broken phone is one with a system that has been seriously altered by its user so the company can no longer guarantee the settings work.

Yispecters modus operandi is a little different; it uses four mechanisms to infect phones， the most popular being via Kuaibos QVOD player， which it exploits to install malware. On a side note， the CEO of Kuaibo， Wang Xin， became an unlikely hero to horny Chinese netizens in January 2016 after being put on trial for spreading pornography due to his media player being all but synonymous with porn. He quixotically challenged the charges in court by boldly stating that Kuaibo was no guiltier than any search engine that has a lot of porn， i.e. all of them.

It didnt work.

China fights back

Now the number two spam-producing nation （behind the US）， according to international spam-busting group Spamhaus， China has been significantly stepping up its ground game in dealing with spam in recent years. Whether or not it can combat the tide being unleashed by technological advances is an open question， but Chinese anti-spam bodies do have significant wins to their name.

China has an Anti Spam Alliance which is run by the Internet Society of China （ISC）. The ISC approach to dealing with spam is to target internet service providers （ISPs） that knowingly host spam. This， of course， can get a bit tricky， as it comes down to defining what is and isnt spam.

Before defining spam， they have to spot it. Li Jia， a representative from the ISC， told TWOC that much of this comes from reports from web users， but also international exchanges and “honey pots” where a web crawler has found an email address listed somewhere online and starts spamming it.

Deciding whether or not something qualifies as spam depends just as much on delivery method as content. Unsolicited bulk emails or targeting emails from anonymous senders are common ways to classify spam， though content that is deemed pornographic or “counter-revolutionary” can also get it blacklisted.

Li pointed out that the situation is getting better. “With the enforcement of the real-name cell phone registration system， the mechanisms to manage text message spam are improving. Despite problems with false base-station text messages and spam messages on iPhones， the overall anti-spamming situation looks a lot better than a couple of years ago，” he said.

“It is not efficient to just deal with email accounts of spammers， as it is so easy to spam from new accounts. Therefore， for email spam we usually blacklist the IP addresses of spammers，” he said. “China doesnt have any official registration for IP addresses of mail servers， and thus lacks the regulation and management of undisciplined companies as potential spammers.”

Of course， with different systems for identifying spam， some very curious discrepancies will emerge.

Spamhaus， based in Germany， maintains a public list of ISPs that are repeat offenders， with many on their top ten being Chinese web addresses—the website of internet giant Tencent （responsible for making ubiquitous messenger app WeChat） clocks in at number five on the Spamhaus list， with DrPeng， a computer hardware retailer， coming in at number one. In fact， eight of their top ten spam-enabling IP addresses all either have a .cn or .hk address， or are recognizable Chinese companies. Spamhauss list， however， evaluates their spam abuse departments and their effectiveness， judging them on how well they responded to spam complaints， calling them “de-facto” spam havens， noting that the problem is that they take a “blind eye” to the spam they host， most likely due to the significant profits on offer. Thus， they are being judged on a lack of enforcement rather than creating the spam themselves.

When Spamhaus examines the ISPs that allow the proliferation and coordination of malicious “botnet controllers” which can hijack computers， things look a bit different—a Vietnamese company tops the list， followed by an Indian one. The only obviously Chinese site clocks in at number three. In terms of identified spam operators—the identified people or companies directly responsible for spam—China has just six of the 111 entries， though this is likely in part due to increased difficulties spotting them. These entries include counterfeiters， as well as a Jiangsu-based spammer known as Chen Yu， who prior to 2014， was infamous for malevolent photo-retouching services that used dropboxes and discarded webmail addresses， and apparently managed to hijack several thousand IP addresses around the world. Spamhaus believes he later switched to a “snowshoe” method which is much like a hydra in that instead of one head it has many， in the form of multiple IP addresses to spread spam using a more diverse delivery network （and is thus harder to track）.

Progress in combating spammers of such persistence is no doubt going to be difficult—after all， the problem is not just dedicated spammers like Chen Yu， but also difficulties in enforcement from some of the biggest companies in the country. Given the sheer clout that these companies have—in China， WeChat reaches into peoples lives in ways that even Facebook has not yet been able to replicate in the West—it seems unlikely that they are going to be penalized anytime soon for something as lowly as spam.

Li points out that given the difficulties combating spam proliferation， much of the fight against spam is going to come down to internet users themselves instituting security measures and commonsense measures， such as avoiding writing email addresses on publicly accessible websites where bots can crawl them （or at least adding spaces）.

Following the money

So who profits from spam？ Short answer： loads of people. After all， its basically just low-cost advertising.

With so many products desperate to get attention， spam is ubiquitous and seems here to stay. When Damon McCoy， a computer science professor at New York University， set out to investigate a spam trail， he found it led to some of Chinas largest banks.

His approach was to track 300 purchases of fake luxury products that had been advertised via spam. McCoy targeted fake goods specifically， because they are one of the few products internationally which can trigger a response from credit card companies， unlike complaints over spam.

Around 97 percent of the transactions were handled by the Bank of China， Agricultural Bank of China and the Bank of Communications.

Given the extreme concentration of banking in China within a few large state-owned behemoths， it is perhaps unsurprising that the vast majority of these purchases went through them—after all， they handle millions of transactions. But a report in the Technology Review highlighted one way in which this was of notable significance. Initially， many of his purchases had gone through the Korea Exchange Bank. Complaints from Visa resulted in that bank ceasing their operations with perpetrators.

Despite the fact the Chinese banks have been mentioned in lawsuits launched by luxury brands and counterfeiting watchdogs， the banks did not cease conducting operations for these outfits. They did close down the accounts for counterfeiters， but failed to promptly shut down new accounts opened by the same people.

McCoy said that despite the fact the counterfeiters/spammers in China seemed able to open new accounts and continue operating， there was evidence to indicate that their sales were still being negatively impacted by this approach.

Of course， its not just the banking side of things that is centralized. Chinas internet giants have spread their influence into all sectors of the online market， including various ad agencies， ad providers， and advertising consultancies and analytics. Even smaller companies often spread their business across all these sectors， and there are few firewalls between them—for companies seeking advertising， this creates hidden conflicts of interest that they may not be aware of： is the company advising you shepherding you toward their own products？ Is the company measuring your advertising success also the company doing the advertising for you？

Throw in the opacity that surrounds much of the Chinese internet， and it can be very difficult to know who exactly is providing what services and what financial interests they may have.

At its worst， dangerous “health” providers found ways to utilize search giant Baidus advertising services to provide a veneer of legitimacy which allegedly resulted in the death of a cancer patient because he opted for dodgy treatment—the incident sparked a public outcry which made Baidu reassess its advertising policies.

Only time will tell whether approaches like McCoys or those used by ISC will work， but there are reasons to be optimistic—multiple internet security companies have indicated that as a percentage of total websites， dangerous websites that result in malware intrusions are decreasing each year. In the meantime， best just be careful about where you write your email address.