A new type of malware targeting smartphones has infected around 25 million devices (15 million of which are in India). This malware is named Agent Smith. Agent Smith targets the Android mobile operating system, replacing installed apps with malicious versions without the user’s knowledge.
Today’s article will show you how to detect, prevent and protect your Android device from Agent Smith malware.
Agent Smith is a modular malware that exploits a series of Android vulnerabilities to replace existing legitimate apps with a malicious fake version. Malicious apps don’t steal data. Instead, the replaced apps show a large amount of ads to the user or steal credits from the device to pay for the ads that were displayed.
Agent Smith has the same name as a character from the famous movie The Matrix. The Check Point team believes that the methods used by this malware to spread are similar to those used by Agent Smith in the hit series.
According to Jonathan Shimonovich, Head of Mobile Threat Detection Research at Check Point Software Technologies, malware silently attacks user-installed apps, leaving Android users in trouble. difficult to fend off such threats on their own.
Furthermore, Agent Smith infected a large number of devices. India is the country most attacked. Check Point research indicates that there are about 15 million devices here infected with Agent Smith. The second country is Bangladesh, with about 2.5 million devices falling victim to this malware. There are more than 300,000 cases of Agent Smith in the US and around 137,000 in the UK.
Check Point Research believes that the Agent Smith malware originated from a Chinese company that was created to help Chinese Android developers publish and promote apps in foreign markets.
The malware first appeared on a third-party app store. 9Apps. This third-party app store targets Indian, Arab and Indonesian users (which explains why the number of devices infected with Agent Smith in these regions is so large). That’s one of the reasons you should avoid downloading Android apps from third-party app stores.
Agent Smith malware works in three stages.
1. A dropper application (a type of malware developed to launch viruses, in the form of a free smartphone app) lures victims to install malware voluntarily. The original dropper contained encrypted malicious files and often took the form of “adult” photo extensions, games, or applications, which were mostly inactive.
2. Dropper decrypts and installs malicious files. The malware uses Google Updater, Google Update for U, or “com.google.vending” to disguise its activity.
3. The main malware generates a list of installed applications. If an app matches its “prey” list, it “patches” the target app with a malicious ad module, replacing the original as if it were a single app update. simple.
The list of “prey” includes WhatsApp, Opera, SwiftKey, Flipkart, Truecaller, etc..
Interestingly, Agent Smith incorporates several Android vulnerabilities, including Janus, Bundle, and Man-in-the-Disk. The combination creates a 3-stage infection process, allowing the malware distributor to build a monetized botnet (through advertising). The Check Point team believes that Agent Smith could be the first campaign to integrate and weaponize all the vulnerabilities together, making this malware incredibly dangerous.
Agent Smith malware uses a modular structure to infect targets, including:
Dropper is a legitimate application that is repackaged to contain a malicious Loader module. The loader extracts and runs the Core module, which in turn communicates with the malware’s C&C server. Then, the C&C server sends the list of prey. If any matching applications are found, the malware will use the vulnerability to pass the Boot module into the repackaged application.
The next time the infected app launches, the Boot module runs the Patch module, which uses the AdSDK module to introduce ads and start generating revenue.
Another interesting element of Agent Smith is that it doesn’t stop at a malicious application. If Agent Smith finds multiple matching apps in the prey list, it will replace each app with the malicious version.
Agent Smith also released malicious update patches for apps that were repackaged, continuing to infect and serving new ad packs.
Agent Smith’s main infection point is the third-party app store, 9Apps. However, it is almost impossible to touch Google Play. Check Point discovered 11 apps on the Google Play Store that contained a set of malicious, inactive files related to Agent Smith. Agent Smith’s Google Play versions use a slightly different viral technique but with the same goal.
Check Point reported the malicious apps to Google and all have been removed from the Google Play Store.
You can spot Agent Smith pretty easily. If your frequently used apps suddenly start generating an excessive amount of ads, that’s a sure sign something is wrong. Ads that malware “serves” are difficult or impossible to get out of (this is another sign to watch out for). But because Agent Smith acts almost silently in delivering the ads, it is extremely difficult to spot very small changes in the application.
Please note that apps that suddenly display a huge volume of ads are not a sign of Agent Smith’s “exclusiveness”. Other types of Android malware also serve ads to increase revenue. As a result, your device may have been infected with another type of Android malware.
If you suspect something is amiss, you should use anti-virus software to scan your device.
The first suggestion is Malwarebytes Security, the Android version of the great anti-malware engine. Download Malwarebytes Security and do a full system scan. It will capture and remove any malicious apps present on your device.
Download Malwarebytes Security (Free, subscription available).
Refer to the article: Top best antivirus applications for Android phones for more details!
Hope you find the right option!