Pierluigi Paganini July 11, 2019

‘Agent Smith’ is a new malware discovered by Check Point researchers that replaces legit Android Apps with malicious ones that infected 25 Million devices worldwide.

Researchers at Check Point recently discovered a new variant of Android malware, dubbed Agent Smith, that has already infected roughly 25 million devices. The malware is disguised as a Google related application and exploits several known Android vulnerabilities to replace installed apps on the victim’s device without the user’s interaction.

“Check Point Researchers recently discovered a new variant of mobile malware that has quietly infected around 25 million devices, while the user remains completely unaware.” reads the analysis published by the experts. ” Disguised as a Google related application, the core part of the malware exploits various known Android vulnerabilities and automatically replaces installed apps on the device with malicious versions without the user’s interaction.”

Most of the victims are located in India, Pakistan and Bangladesh, followed by UK, Australia and the US.

The Agent Smith malware disguises itself as utility apps (i.e. photo editing), adult entertainment, or gaming, it is spread through third-party app stores. The Android malware leverages several Android known vulnerabilities, including the Janus flaw and the Man-in-the-Disk flaw to injects the malicious code into the APKs of legitimate apps that are installed on a compromised device. Then the malicious code automatically re-install/updates them without the user’s interaction.

Experts believe the malware was developed by a China-based firm to monetize their efforts by serving malicious adv. Experts described an attack chain composed of three stages.

In the first stage, the attackers trick victims into downloading a dropper application from third-party app stores such as 9Apps. The dropper application checks if any popular applications is installed on the device then target it with the Agent Smith malware.

Once the dropper has gained a foothold on the victim’s device, it will automatically decrypt the malicious payload into an APK file that represents the core part of “Agent Smith’s attack. The dropper exploits several known vulnerabilities to install core malware without any user interaction.

In the third stage, the core malware targets applications installed on the device that are included in its target list.

“The core malware quietly extracts a given innocent application’s APK file, patches it with extra malicious modules and finally abuses a further set of system vulnerabilities to silently swap the innocent version with a malicious one.” continues the report.

“While investing a lot of resources in the development of this malware, the actor behind Agent Smith does not want a real update to remove all of the changes made, so here is where the Patch module comes in to play”

“With the sole purpose of disabling automatic updates for the infected application, this module observes the update directory for the original application and removes the file once it appears.”

Researchers explained that the modular structure of the malware makes it easy to use it for other malicious purposes, such as stealing sensitive information.

CheckPoint also found at least 11 infected apps on the Google Play Store that contain a malicious yet dormant SDK associated with the “Agent Smith” attackers, a citcumstance that suggests the threat actors aims at infecting Android users via the official store. Google has reportedly removed from the Play Store all the tainted apps.

Experts suggest users download apps only from trusted app stores and keep their devices up to date because Agent Smith exploits known flaws that date back to 2017.

Developers are recommended to implement the latest APK Signature Scheme V2 in order to prevent Janus abuse.

Pierluigi Paganini

(SecurityAffairs – Agent Smith, Android malware)

[adrotate banner=”5″]

[adrotate banner=”13″]