‘Agent Smith’ malware infected over 25m Android devices
Published: 05:33 PM, 13 July 2019 Updated: 05:34 PM, 13 July 2019
‘Agent Smith’, a newly discovered piece of Android malware that replaces legit Android Apps with malicious ones infected 25 Million devices worldwide according to security firm Check Point.
Researchers at Check Point named the malware “Agent Smith” because of the methods it uses to attack a device and avoid detection.
The malware is disguised as a Google related application and exploits several known Android vulnerabilities to replace installed apps on the victim’s device without the user’s interaction.
“Check Point Researchers recently discovered a new variant of mobile malware that has quietly infected around 25 million devices, while the user remains completely unaware,” reads the analysis published by the experts. "Disguised as a Google related application, the core part of the malware exploits various known Android vulnerabilities and automatically replaces installed apps on the device with malicious versions without the user’s interaction.”
The primary targets of this malware are based in Asian countries, especially India with over 15 million infected devices, Pakistan, Bangladesh, Saudi Arabia, UK and around 300k devices infected in the US.
The Agent Smith malware disguises itself as utility apps (i.e. photo editing), adult entertainment, or gaming, it is spread through third-party app stores. The Android malware leverages several Android known vulnerabilities, including the Janus flaw and the Man-in-the-Disk flaw to injects the malicious code into the APKs of legitimate apps that are installed on a compromised device. Then the malicious code automatically re-install/updates them without the user’s interaction.
Experts believe the malware was developed by a China-based firm to monetize their efforts by serving malicious adv. Experts described an attack chain composed of three stages.
In the first stage, the attackers trick victims into downloading a dropper application from third-party app stores such as 9Apps. The dropper application checks if any popular applications is installed on the device then target it with the Agent Smith malware.
Once the dropper has gained a foothold on the victim’s device, it will automatically decrypt the malicious payload into an APK file that represents the core part of “Agent Smith’s attack. The dropper exploits several known vulnerabilities to install core malware without any user interaction.
In the third stage, the core malware targets applications installed on the device that are included in its target list.
“The core malware quietly extracts a given innocent application’s APK file, patches it with extra malicious modules and finally abuses a further set of system vulnerabilities to silently swap the innocent version with a malicious one,” continues the report.
Researchers explained that the modular structure of the malware makes it easy to use it for other malicious purposes, such as stealing sensitive information.
CheckPoint also found at least 11 infected apps on the Google Play Store that contain a malicious yet dormant SDK associated with the “Agent Smith” attackers, a citcumstance that suggests the threat actors aims at infecting Android users via the official store. Google has reportedly removed from the Play Store all the tainted apps.
Experts suggest users download apps only from trusted app stores and keep their devices up to date because Agent Smith exploits known flaws that date back to 2017. Developers are recommended to implement the latest APK Signature Scheme V2 in order to prevent Janus abuse.