Malware dubbed 'Agent Smith' has infected more than 25 million Android devices, reports security firm Check Point.
Unlike most malware that steals data, often for financial gain, Agent Smith exploits known Android vulnerabilities and replaces apps already on the device - Whatsapp being one - with malicious versions that display ads. The ads aren't malicious but the hackers make money with each click on an ad, just like a legitimate pay-per-click system.
The primary victims have been in Asian countries such as India (15 million devices), Pakistan and Bangladesh, as the malware was originally downloaded from the third party app store, 9Apps, which is popular throughout the region. However, more than 430,000 devices in the US, UK and Australia have also been affected.
Agent Smith first came to to attention of the Check Point Research team in early 2019. Initial samples "had the ability to hide their app icons and claim to be Google related updaters or vending modules." Further analysis revealed characteristics that made the researchers believe they were "looking at an all-new malware campaign found in the wild." Technical analysis and heuristic threat hunting revealed there were three main phases to a 'complete Agent Smith infection':
1. A dropper app lures victim to install itself voluntarily. The initial dropper has a weaponized Feng Shui Bundle as encrypted asset files. Dropper variants are usually barely functioning photo utility, games, or sex related apps.
2. The dropper automatically decrypts and installs its core malware APK which later conducts malicious patching and app updates. The core malware is usually disguised as Google Updater, Google Update for U or “com.google.vending”. The core malware’s icon is hidden.
3. The core malware extracts the device’s installed app list. If it finds apps on its prey list (hard-coded or sent from C&C server), it will extract the base APK of the target innocent app on the device, patch the APK with malicious ads modules, install the APK back and replace the original one as if it is an update.
The fact that Agent Smith 'exploits known Android vulnerabilities' indicates some apps need updating, as Check Point noted: "(This) requires attention and action from system developers, device manufacturers, app developers, and users, so that vulnerability fixes are patched, distributed, adopted and installed in time.
The malware's 'potential' was also discussed: "Another actor could easily take a more intrusive and harmful route. With the ability to hide its icon from the launcher and hijack popular existing apps on a device ... it could steal sensitive information; from private messages to banking credentials and much more."
