Agent Smith malware infects nearly 25 million Android devices

• The malware replaced legitimate Android apps with malicious versions that serve advertisements.
• It was disguised in an app on a third-party app store and is known to exploit various Android vulnerabilities.

Close to 25 million Android devices have been infected with a new, unique malware called “Agent Smith”. The malware leverages Android vulnerabilities for infection and replaces legitimate apps with malicious versions riddled with ads.

Discovered by security experts from Check Point Research, Agent Smith has targeted victims mainly in India (over 15 million devices) as well as other countries in South Asia. The malware campaign has also targeted users in the US and the UK.

How does it work?

• In a detailed analysis report, security researchers indicate that Agent Smith malware goes through three phases for infecting Android devices.
• Firstly, the victims are lured by a malicious app either in the form of photo utility, games, or an adult app. Upon the app’s installation, the core malware APK is decrypted and installed.
• This is then disguised as Google Updater, Google Update for U, or “com.google.vending”. In fact, the malware app’s icon is now hidden from users’ view.
• Next, it extracts the device’s installed app list and checks apps in another list that are either hard-coded or drawn from a command-and-control (C2) server. If the apps in both the lists match, the malware extracts the base APK of the target app on the device, patches the APK with malicious ad modules, re-installs the APK, and replaces the original one as an update.
• Agent Smith malware is spread through a malicious app present in a third-party app store ‘9apps.com’.

More than just ads

Check Point’s experts suggest that the malware might be used for other activities apart from just pushing ads. “In this case, ‘Agent Smith’ is being used for financial gain through the use of malicious advertisements. However, it could easily be used for far more intrusive and harmful purposes such as banking credential theft,” wrote the experts in their report.

Worth noting

The experts also found that 11 apps on Google Play were dropping Agent Smith. Upon notifying Google, the apps were immediately removed from the platform.