Report: Malware campaign linked to Chinese ad firm infects 250 million computers

A sweeping malware campaign has infected more than 250 million computers around the world in what cybersecurity firm Check Point Software Technologies is calling the “largest infection operation in history.”
CC0 -- Max Pixel

A sweeping malware campaign has infected more than 250 million computers around the world in what cybersecurity firm Check Point Software Technologies is calling the “largest infection operation in history.”

The malware, known as “Fireball,” is designed to turn web browsers into “zombies” — dummy browsers that collect private information — but has potential for causing “global catastrophe,” Check Point says.

Fireball is linked to software distributed by Chinese digital marketing agency and app developer Rafotech, which allegedly uses the malware to spy on and control web browsing to increase traffic and boost ad revenue, according to Check Point.

Fireball is also capable of running code and downloading other files and malware. The sophisticated software has the potential to cause much more damage due to its capabilities as a malware downloader, Check Point claims.


“These actions can have serious consequences,” Check Point wrote in a blog Thursday. “How severe is it? Try to imagine a pesticide armed with a nuclear bomb. Yes, it can do the job, but it can also do much more.”

Check Point researchers call Fireball’s spread “alarming.” The majority of infections are concentrated in India (25.3 million), followed by Brazil (24.1 million) and Mexico (16.1 million). The U.S. has 5.5 million infected computers. Check Point claims 20 percent of corporate networks have been affected by the malware.

Maya Horowitz, group manager for threat intelligence of Check Point, told CyberScoop in a statement that the number of infected computers reported is based on data retrieved from Amazon’s Alexa analytics unit, “of the number of unique devices communicating with the domains related to this campaign,” adding that this is a number that aligns with the 300 million users Rafotech reports on its website.

Horowitz stated that Check Point sees Fireball “evolving into [new] fake search engines and new infected devices on a daily basis.”

The malicious software embeds in other seemingly innocuous software products available for download, including Rafotech’s “Deal Wifi” and “Mustang Browser” and freeware products “Soso Desktop” and “FVP Imageviewer,” but the company could be using other methods.


The report explains that Rafotech’s distribution of Fireball is not deemed criminal, as it is considered adware. Because the software is free to customers and the customers agree to installation, distribution of adware falls into a sort of legal “gray zone.”

“As with everything in the internet, remember that there are no free lunches,” Check Point stated in the blog, encouraging consumers to be vigilant.

Check Point claims that Rafotech’s method of distribution is illegitimate and likely intentional, as the dummy search engines and malware cannot be uninstalled by typical users, do not show connections to Rafotech, and disguise their true use.

Rafotech did not immediately respond to CyberScoop’s request for comment.

Signs of infection include inability to change and adjust settings on web browsers and the presence of unfamiliar browser extensions. The adware can be removed by removing the application from the infected device.

Latest Podcasts