15 July 2019

“Agent Smith” malware infected more than 25 million Android devices

“Agent Smith” malware infected more than 25 million Android devices

A new variant of mobile malware dubbed “Agent Smith” has already infiltrated more than 25 million Android devices mainly in India, Pakistan and Bangladesh. Check Point researchers discovered the malware disguised as a Google-related application that uses known Android exploits and automatically replaces installed apps with malicious clones without users’ knowledge or interaction. The malware’s behavior resembles previous campaigns, such as GooliganHummingBad and CopyCat.

Currently the “Agent Smith”’s operators are leveraging the malware with the purpose of earning money through the use of malicious advertisements, but it could easily be used in more intrusive and harmful attacks such as banking credential theft due to its ability to hide it’s icon from the launcher and disguise itself as any popular apps installed on a device.

The Agent Smith malware masquerades itself as utility apps (i.e. photo editing), adult entertainment, or gaming, it is spread through third-party app stores, such as “9Apps”, a UC team backed store, targeted mostly at Indian (Hindi), Arabic, and Indonesian users. The initial dropper automatically decrypts and installs its core malware APK, which is usually disguised as Google Updater, Google Update for U or “com.google.vending”. The core malware extracts the device’s installed app list and upon finding the apps of interest it extracts the APK’s of legitimate apps, injects malicious ads modules and then reinstalls the APK. To inject the malicious code the Android malware leverages several Android known vulnerabilities, including the Janus flaw, which allows bypassing an app's signatures and add arbitrary code to it. 

Although the malware mainly focused on India (over 15 million), Bangladesh (over 2.5 million), and Pakistan (almost 1.7 million), infections were also seen on devices in Saudi Arabia (245k), Australia (141k), the U.K. (137k), and the U.S. (303k). The researchers believe “Agent Smith” malware was developed by a China-based firm that uses it as a means to make a financial gain.

According to Check Point report, the malware has been active since early 2016. For two years its operators have been testing the grounds and using 9Apps store as a distribution channel, but it appears that they have decided to expand into official Google Play store. The researchers found at least 11 infected apps on the Google Play that contain a malicious yet dormant SDK related to the “Agent Smith” campaign. Check Point informed Google and all the tainted apps were removed.

Back to the list

Latest Posts

New Mirai variant hides its C&Cs in Tor network for anonymity

New Mirai variant hides its C&Cs in Tor network for anonymity

The use of Tor network helps the malware operators to conceal its command and control servers and to avoid detection.
1 August 2019
New Android ransomware spreads via malicious posts on Reddit and XDA Developers forums

New Android ransomware spreads via malicious posts on Reddit and XDA Developers forums

After infecting an Android mobile device, Filecoder scans the victim's contact list and sends links on ransomware to all the entries in the list.
31 July 2019
Critical flaws in VxWorks RTOS impact over 2 billion devices, including routers, printers and SCADA

Critical flaws in VxWorks RTOS impact over 2 billion devices, including routers, printers and SCADA

URGENT/11 vulnerabilities pose a serious risk as they allow attackers to take over devices with no user interaction required.
30 July 2019
Featured vulnerabilities
Multiple vulnerabilities in FreeBSD
Medium Patched | 21 Aug, 2019
Denial of service in Siemens SCALANCE X Switches
Medium Not Patched | 21 Aug, 2019
Multiple vulnerabilities in Siemens SCALANCE Products
Medium Not Patched | 21 Aug, 2019