“Agent Smith” – Cybersecurity Researchers Warn Malware Attack on Android Phones

More than 25 million Android phones have been infected with malware that replaces real installed apps like WhatsApp with ad-serving fake versions, cybersecurity researchers warned on 10th July 2019.

According to the Check Point researchers, dubbed “Agent Smith,” the malicious malware replaces popular apps with evil ones and tricks the users by serving them advertisements. The researchers have suggested the title based on its methodology that it uses to attack a device, exploit its vulnerabilities, and avoid detection. This malware doesn’t steal any data from the user’s device, rather it hacks app code and forces them to display more advertisements. The researchers added that the ads themselves weren’t malicious. But, as per a typical pay-per-click system, every single click on an injected advertisement will send money back to the hackers. The operators of the malware also take the credit for the ads that have already been displayed so that they can profit off the duplicitous views.

The way Agent Smith operates is scary and ingenious. The researchers mentioned that this malware looks for popular apps on a device, such as WhatsApp, Opera Mini, and Flipkart. It replaces a few segments of their codes and prevents them from being updated. The malware has spread through a third party app store called 9apps.com, which is owned by China’s Alibaba, rather than the official Google Play store. According to the Check Point, the malware would be hidden inside photo utility, games, or sex-related apps. Once the user downloads such app, the malware would disguise itself as a Google-related app, with a name tag “Google updater,” “Google Update for U,” or “com.google.vending.” In the next stage, it looks for the apps on the device that are also on the list that is either hardcoded or received from the command and control server (C2). When a match is found, it begins the process of exploiting app code without letting the user know. No icon appears for this on the screen that makes it even sneakier.

Here is the list of targeted Android applications hardcoded in the malware. When Agent Smith cannot reach the C2, it uses this list to find the match and retrieves an updated version.

  • com.whatsapp
  • com.lenovo.anyshare.gps
  • com.mxtech.videoplayer.ad
  • com.jio.jioplay.tv
  • com.jio.media.jiobeats
  • com.jiochat.jiochatapp
  • com.jio.join
  • com.good.gamecollection
  • com.opera.mini.native
  • in.startv.hotstar
  • com.meitu.beautyplusme
  • com.domobile.applock
  • com.touchtype.swiftkey
  • com.flipkart.android
  • cn.xender
  • com.eterno
  • com.truecaller

Typically, such third-party attacks target developing countries. Agent Smith has primarily infected more than 15 million devices in India. The malware has infected as many as 300,000 devices in the US and 137,000 in the UK, making it one of the worst threats that have hit Google’s operating system in recent years. Despite its focus on India, it has also made way to other nearby countries, including Bangladesh (over 2.5 million), Pakistan (almost 1.7 million), and Indonesia (570,000).

The researchers also added: “This lead us to estimate there to be over 2.8 billion infections in total, on around 25 Million unique devices, meaning that on average, each victim would have suffered roughly 112 swaps of innocent applications.” Implying that Agent Smith doesn’t limit itself to infecting only a single app, it will decrypt any and all that are on its target list.  

Timeline of Annoying Adware turning into Mature Agent Smith

“Due to its ability to hide it’s icon from the launcher and impersonates any popular existing apps on a device, there are endless possibilities for this sort of malware to harm a user’s device,” the researchers warned in a technical report. The cybersecurity researchers also mentioned that they had warned Google and other law enforcement agencies. Meanwhile, Google hadn’t provided comments on the current scenario. 

Given the way it works, detecting Agent Smith is challenging. According to Jonathan Shimonovich, Head of Mobile Threat Detection Research at Check Point Software Technologies, “The malware attacks user-installed applications silently, making it challenging for common Android users to combat such threats on their own. Users should only be downloading apps from trusted app stores to mitigate the risk of infection as third-party app stores often lack the security measures required to block adware loaded apps.”

Do you see an ad popping up while opening WhatsApp? If yes, then your Android phone is hit by this new malware because WhatsApp doesn’t serve any ads on its platform. If you are getting too many ads on your Android phone, it is recommended to scan your phone with a good anti-virus immediately. Consider these security practices:

  • Don’t download applications from third-party app stores like 9Apps.
  • If you suspect your phone is infected, delete data of popular apps like WhatsApp and reinstall these apps. Or you can do a factory reset, too.
  • Try to avoid sleazy apps or gaming apps from unknown sources.
  • While installing any app, read the permission and other privacy details carefully.