Researchers at Check Point recently discovered a new variant of Android malware, dubbed Agent Smith, that has already infected roughly 25 million devices. The malware is disguised as a Google related application and exploits several known Android vulnerabilities to replace installed apps on the victim’s device without the user’s interaction.
“Check Point Researchers recently discovered a new variant of mobile malware that has quietly infected around 25 million devices, while the user remains completely unaware.” reads the analysis published by the experts. ” Disguised as a Google related application, the core part of the malware exploits various known Android vulnerabilities and automatically replaces installed apps on the device with malicious versions without the user’s interaction.”
Most of the victims are located in India, Pakistan and Bangladesh, followed by UK, Australia and the US.
The Agent Smith malware disguises itself as utility apps (i.e.
Experts believe the malware was developed by a China-based firm to monetize their efforts by serving malicious
In the first stage, the attackers trick victims into downloading a dropper application from third-party app stores such as 9Apps. The dropper application checks if any popular applications
Once the dropper has gained a foothold on the victim’s device, it will automatically decrypt the malicious payload into an APK file that represents the core part of “Agent Smith’s attack. The dropper exploits several known vulnerabilities to install core malware without any user interaction.
In the third stage, the core malware targets applications installed on the device that are included in its target list.
“The core malware quietly extracts a given innocent application’s APK file, patches it with extra malicious modules and finally abuses a further set of system vulnerabilities to silently swap the innocent version with a malicious one.” continues the report.
“While investing a lot of resources in the development of this malware, the actor behind Agent Smith does not want a real update to remove all of the changes made, so here is where the Patch module comes in to play”
“With the sole purpose of disabling automatic updates for the infected application, this module observes the update directory for the original application and removes the file once it appears.”
Researchers explained that the modular structure of the malware makes it easy to use it for other malicious purposes, such as stealing sensitive information.
Experts suggest users download apps only from trusted app stores and keep their devices up to date because Agent Smith exploits known flaws that date back to 2017.
Developers are recommended to implement the latest APK Signature Scheme V2 in order to prevent Janus abuse.
(SecurityAffairs – Agent Smith, Android malware)