Researchers seemed to have discovered a new malware that is affecting Android smartphones by replacing portions of apps with its own code. The malware has reportedly affected over 25 million Android devices globally, with around 15 million devices affected in India alone.
Dubbed as Agent Smith, the malware has been found exploiting known weaknesses in the Android operating system to replace legitimate installed apps on the device with malicious versions without requiring users’ intervention.
Check Point, who discovered the malware earlier this year, says it tracked down its operators to a Chinese tech company located in the city of Guangzhou. The company researchers further said, it operates a front-end legitimate business that helps Chinese Android app developers publish and promote their apps on overseas platforms.
However, Check Point also added that it found has ads for job roles that were consistent with operating the Agent Smith malware infrastructure and had no connection to the company’s real business.
The job listings can be traced back to 2018 when Check Point says the first versions of the malware also started appearing. Researchers didn’t share any other details about the company, citing an ongoing law enforcement investigation.
How Agent Smith works?
It leverages a three-stage infection chain in order to build a botnet of devices that are controlled from a command-and-control (C&C) server to issue malicious commands.
- The entry point is a dropper app, which the victim installs on an Android device voluntarily. These are usually repackaged versions of legitimate apps like Temple Run with additional code.
- The dropper app automatically installs a malware app — essentially an Android package (.APK) file — whose icon remains hidden from the home screen launcher. They also escape detection by disguising themselves as Google-related updaters.
- The core malware APK extracts the list of installed apps on the device, and scans it against a “prey list” of apps — either hard-coded or issued from the C&C server. If it finds a match, it extracts the base APK file of the target app, injects the APK with malicious ad modules, and installs the new ‘copycat’ version of the app as if it were a regular app update.
“Combining advanced threat prevention and threat intelligence while adopting a ‘hygiene first’ approach to safeguard digital assets is the best protection against invasive mobile malware attacks like ‘Agent Smith,” said the report. In addition, users should only be downloading apps from trusted app stores to mitigate the risk of infection as third party app stores often lack the security measures required to block adware loaded apps.