Agent Smith Malware: Replaces legitimate apps, hides in WhatsApp and infects Android devices
A new kind of mobile malware is found infecting 25 million Android devices. This Android malware is dubbed Agent Smith Malware and it substitutes legitimate apps with infected apps without user’s intervention to push advertisements or hijacks valid ad events.
Agent Smith primarily targets Android devices running Android 5 and 6 in Asian countries – India, Pakistan, Bangladesh. This malware is being exploited for financial gain.
How Agent Smith Malware Works?
Check Point researchers encountered Agent Smith malware in early 2019 that has been around January 2016. As this malware works in stealth mode detecting it in the early stages is almost impossible.
Agent Smith infects devices in three stages:
1. A dropper app that victim voluntarily installs on its Android device is used to infect the Android device. These apps are malicious versions of legitimate apps. Usually photo utility apps, games are the ones that hackers use to lure victims.
2. After this, the malicious app is automatically installed by the dropper app. This app remains hidden from the home screen launcher as it disguises as Google related updaters.
3. In the next stage malware app searches and scans the apps installed on the device against the list that is either hardcoded or received from the C&C server. If a match is found, Agent Smith extracts the base APK and adds infected ad modules. This process alters the original package with the infected one.
Additional code found in carrier app is known as loader. It is meant to extract and load a module that interacts with the C&C to collect a list of Android apps to scan the device for. Some of the most popular apps targeted are WhatsApp, MX Player, Flipkart and more.
Once the targeted app is found on the Android device the core module takes advantage of Janus vulnerability, that allows attackers to modify legitimate apps without changing apps signatures.
This installs the infected app on the device that extracts the boot module and executes the malicious payload. Moreover, to avoid a real app update a patch module is installed that cleverly disables automatic update in the replica app.
Now that everything is set, the malicious payload requests C&C server to assist malware-ridden ads.
Who is the threat actor?
To begin with, hackers used 9Apps a third-party Android app store acquired by Alibaba in 2014 to distribute adware via dropper apps.
In addition to this, researchers also uncovered 11 infected apps that use Agent Smith component. Top 5 infectious dropper has been downloaded 7.8 million times. However, after the report, Google has taken down the apps.
If you are still worried read how to get rid of bloatware on Android.
What’s the result?
We are not seeing this for the first time. Attackers have taken advantage of third app distribution to infect devices earlier too. But this time the most concerning thing is, malware actors are using the official App Store to distribute malware.
Janus vulnerability has already been patched still most app developers have not signed their apps with a new scheme. This means we need to take proper measures to avoid such attacks. Moreover, users should stop using an older version of Android as they do not have security patches. In addition to this, apps developers, device manufacturers, system developers, users need to work hand in hand to fix vulnerabilities.
Currently, Agent Smith is focusing on making money, but we never know when it can be used to steam sensitive information we need to take proper actions to stay protected.