News

'Agent Smith' Malware Infects 25 million Android Devices

Giulio Saggin
Giulio Saggin
Tuesday 28 November 2023

Malware dubbed 'Agent Smith' has infected more than 25 million Android devices, reports security firm Check Point.

Unlike most malware that steals data, often for financial gain, Agent Smith exploits known Android vulnerabilities and replaces apps already on the device - Whatsapp being one - with malicious versions that display ads. The ads aren't malicious but the hackers make money with each click on an ad, just like a legitimate pay-per-click system.

The primary victims have been in Asian countries such as India (15 million devices), Pakistan and Bangladesh, as the malware was originally downloaded from the third party app store, 9Apps, which is popular throughout the region. However, more than 430,000 devices in the US, UK and Australia have also been affected.

Agent Smith first came to to attention of the Check Point Research team in early 2019. Initial samples "had the ability to hide their app icons and claim to be Google related updaters or vending modules." Further analysis revealed characteristics that made the researchers believe they were "looking at an all-new malware campaign found in the wild." Technical analysis and heuristic threat hunting revealed there were three main phases to a 'complete Agent Smith infection':

1. A dropper app lures victim to install itself voluntarily. The initial dropper has a weaponized Feng Shui Bundle as encrypted asset files. Dropper variants are usually barely functioning photo utility, games, or sex related apps.

2. The dropper automatically decrypts and installs its core malware APK which later conducts malicious patching and app updates. The core malware is usually disguised as Google Updater, Google Update for U or “com.google.vending”. The core malware’s icon is hidden.

3. The core malware extracts the device’s installed app list. If it finds apps on its prey list (hard-coded or sent from C&C server), it will extract the base APK of the target innocent app on the device, patch the APK with malicious ads modules, install the APK back and replace the original one as if it is an update.

The fact that Agent Smith 'exploits known Android vulnerabilities' indicates some apps need updating, as Check Point noted: "(This) requires attention and action from system developers, device manufacturers, app developers, and users, so that vulnerability fixes are patched, distributed, adopted and installed in time.

The malware's 'potential' was also discussed: "Another actor could easily take a more intrusive and harmful route. With the ability to hide its icon from the launcher and hijack popular existing apps on a device ... it could steal sensitive information; from private messages to banking credentials and much more."

Never miss a vulnerability like this again

Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2024 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203