Fireball adware was revealed in june as being present on 20 percent of the world’s corporate networks
Fireball adware was revealed in june as being present on 20 percent of the world’s corporate networks

Chinese police have cracked down on the masters of one of the world's most proliferate pieces of adware. Eleven Rafotech employees, Fireball adware's developer, have been arrested by Beijing police including Rafotech's president, technical director and operations director.

All three have already admitted to the crime, saying that they co-funded the development of the adware in 2015 to generate advertising revenue for the marketing company. Beijing Youth Daily reports that Fireball made 80 million yuan (over £9 million) for its owners.

Police forces had been monitoring Fireball for some time, having been tipped off a by pseudonymed source called him or herself Zhang Ming, but wanted to analyse the adware's behaviour before making concrete moves.  Though Chinese outlets have been reporting the arrests in the last few days, the arrests are thought to have been made earlier in June.

These arrests come as part of a broader crackdown by Chinese police forces, who have been looking ever more closely at computer crimes in recent months.

Fireball was supposedly engineered  to avoid infecting Chinese computers, thus circumventing the local laws. It was however, more than happy to go to town on the rest of the world's networks. In June, Check Point software declared that the adware could be found on 20 percent of corporate networks and 250 million endpoints globally.  While it was used to distribute ads, researchers noted that it could be easily turned to distribute malware.

Bundled as part of legitimate software, Fireball hijacks its targets web traffic, redirecting them to pages its masters wants its victims to see. From there, fireball generates ad revenue for its masters, showing its targets unwelcome ads, but generating hits all the same.

Its owners were identified by Check Point as the Chinese marketing company, Rafotech.  Researchers noted that this kind of practice fell within a large grey area:  “Rafotech carefully walks along the edge of legitimacy. Knowing that adware distribution is not considered a crime like malware distribution is, many companies provide software or services for free, and make their profits by harvesting data or presenting advertisements. Once a client agrees to the installation of extra features or software to his/her computer, it is hard to claim malicious intent on behalf of the provider.”  

That grey area appears to have gotten smaller with the arrest of senior Rafotech staff. Investigations are still ongoing.