Now, a new Android malware, named Agent Smith, has been discovered by the Check Point (a cyber-security firm), that can infect devices and replace legitimate apps with clones to show a deluge of ads for a criminal group’s interests.
According to a report, this malware has made over 25 million victims located in India ( approx 15.2 million), Bangladesh ( approx 2.5 million), and Pakistan ( approx 1.7 million). And most users still infected for a period of two months.
Check Point, a cyber-security firm who discovered this malware, said that it tracked down this malware operator linked to a Chinese tech company located in the city of Guangzhou. The cyber-security firm found that ads for job roles that were consistent with operating the Agent Smith malware infrastructure and had no connection to the company’s real business. Though, the company claimed that it operates a front-end legitimate business that helps Chinese Android app developers publish and promote their apps on overseas platforms.
Agent Smith malware appeared in early 2018 and has been around for more than a year. It was only distributed via boobytrapped Android apps uploaded on 9Apps, an independent Android app store managed by UCWeb (the developer behind the UC Browser Android browser). This malware is incredibly hard to detect and also has a novel structure and infection methodology that makes it hard to detect until it’s too late, and the phone has been compromised. The researchers did not reveal any other details about the company.
The research team also reported that the apps that infected with Agent Smith malware have also appeared on the Google Play Store. The team has already detected 11 such apps on the Android app store.
Check Point said,
Evidence implies that the ‘Agent Smith’ actor is currently laying the groundwork, increasing its Google Play penetration rate and waiting for the right timing to kick off attacks. By the time of this publication, two (Agent Smith) infected apps have reached 10 million downloads while others are still in their early stages.
According to the reports, Agent Smith malware using a three-part infection mechanism that’s on a par with the most advanced Android malware operations known today, such as CopyCat, Gooligan, and HummingBad. This malware also used malicious code that hidden in games, utility, or adult-themed apps uploaded on the 9Apps store. When users would download these apps, the affected apps would later download and install another Android app package (APK) that actually contained the Agent Smith malware. Once the phone is infected, Agent Smith would scan locally installed apps on that device, and using an internal target list to replace the original apps with ad-infected clones.
The entire process is quite stealthy and innovative, and it’s very surprising to see that it used for something as banal as adware.
The research team also produces a screenshot of infected apps on the Play Store.
The researchers also informed Android device users that this malware will show unwanted ads at the initial stage, tomorrow it could steal sensitive information that could relate from private messages to banking credentials and even much more.
Check Point has worked closely with Google to disinfect Agent Smith malware.