15 July 2019

“Agent Smith” malware infected more than 25 million Android devices

“Agent Smith” malware infected more than 25 million Android devices

A new variant of mobile malware dubbed “Agent Smith” has already infiltrated more than 25 million Android devices mainly in India, Pakistan and Bangladesh. Check Point researchers discovered the malware disguised as a Google-related application that uses known Android exploits and automatically replaces installed apps with malicious clones without users’ knowledge or interaction. The malware’s behavior resembles previous campaigns, such as GooliganHummingBad and CopyCat.

Currently the “Agent Smith”’s operators are leveraging the malware with the purpose of earning money through the use of malicious advertisements, but it could easily be used in more intrusive and harmful attacks such as banking credential theft due to its ability to hide it’s icon from the launcher and disguise itself as any popular apps installed on a device.

The Agent Smith malware masquerades itself as utility apps (i.e. photo editing), adult entertainment, or gaming, it is spread through third-party app stores, such as “9Apps”, a UC team backed store, targeted mostly at Indian (Hindi), Arabic, and Indonesian users. The initial dropper automatically decrypts and installs its core malware APK, which is usually disguised as Google Updater, Google Update for U or “com.google.vending”. The core malware extracts the device’s installed app list and upon finding the apps of interest it extracts the APK’s of legitimate apps, injects malicious ads modules and then reinstalls the APK. To inject the malicious code the Android malware leverages several Android known vulnerabilities, including the Janus flaw, which allows bypassing an app's signatures and add arbitrary code to it. 

Although the malware mainly focused on India (over 15 million), Bangladesh (over 2.5 million), and Pakistan (almost 1.7 million), infections were also seen on devices in Saudi Arabia (245k), Australia (141k), the U.K. (137k), and the U.S. (303k). The researchers believe “Agent Smith” malware was developed by a China-based firm that uses it as a means to make a financial gain.

According to Check Point report, the malware has been active since early 2016. For two years its operators have been testing the grounds and using 9Apps store as a distribution channel, but it appears that they have decided to expand into official Google Play store. The researchers found at least 11 infected apps on the Google Play that contain a malicious yet dormant SDK related to the “Agent Smith” campaign. Check Point informed Google and all the tainted apps were removed.

Back to the list

Latest Posts

North Korean hackers adopt a new technique to infect macOS machines

North Korean hackers adopt a new technique to infect macOS machines

The found sample appears to be the Lazarus group's first in-memory malware targeting the Apple operating system.
6 December 2019
New destructive wiper ZeroCleare targets industrial and energy organizations in the Middle East

New destructive wiper ZeroCleare targets industrial and energy organizations in the Middle East

The ZeroCleare malware bears some similarity with the infamous Shamoon wiper.
5 December 2019
TrickBot operators set their sights on Japanese banks ahead of holiday season

TrickBot operators set their sights on Japanese banks ahead of holiday season

While the TrickBot malware has been spotted in other regions, this marks the first time TrickBot has been seen at Japanese banks.
4 December 2019