‘Agent Smith’ Malware Infects 25 million phones worldwide
By Dzof Azmi July 15, 2019
- Compromises existing apps such as Whatsapp and Opera to monetise ads
- 11 more apps found on the Google Play Store with a dormant “infect” switch
VULNERABILITIES in Android has opened the door for a piece of malware to infect an estimated 25 million phones worldwide, including 15 million devices in India, and over 800,000 devices in Southeast Asia.
"Today this malware shows unwanted ads," said an advisory from Check Point Research, the team that first highlighted the threat. "Tomorrow it could steal sensitive information; from private messages to banking credentials and much more."
Dubbed "Agent Smith" after the character in the movie "The Matrix", the malware updates certain apps that may already be installed on the phone with its own payload. Some of the more popular apps targeted include the chat program WhatsApp, the web browser Opera and keyboard software Swiftkey.
These compromised apps will then show advertisements for financial gain. “The malware attacks user-installed applications silently, making it challenging for common Android users to combat such threats on their own,” said Jonathan Shimonovich, head of Mobile Threat Detection Research at Check Point Software Technologies.
Main target are users in India
The malware was first highlighted by Check Point Research when the team were alerted to a wave of malware attacks against users in India earlier this year.
Their preliminary investigations discovered that malware has the ability to hide its app icon and disguise itself as a Google-related module. Among the names it tries to pass itself off are: “Google Updater”; “Google Update for U”; and “com.google.vending”.
The malware was hidden in innocent-looking apps on the 9Apps market in over 360 different variants, presenting themselves as games, adult entertainment, media players, photo utilities and system utilities.
The top five most downloaded compromised apps are: Color Phone Flash - Call Screen Theme; Photo Projector; Rabbit Temple; Kiss Game: Touch Her Heart; and Girl Cloth Cray Scan Simulator.
Once the malware has established itself on the phone, it then looks for other installed apps on its "prey list". If a suitable target is identified, it will then patch that app as if it were a regular update, but is in fact a malicious payload.
To date, "Agent Smith" seems to have been primarily targeted at Indian users, representing 59% of those affected. In Southeast Asia, countries infected include Indonesia (572,025 incidents), The Philippines (226,701), Malaysia (55,647), Thailand (52,848), Vietnam (32,916) and Singapore (6,257).
Dormant version found on Google App Store
The team from Check Point Research also reported that they have connected "Agent Smith" to an internet company in Guangzhou, China, whose business is to help Chinese Android developers promote their apps overseas. The team also concluded that "Agent Smith's" threat list "contain competitor apps of actor’s legitimate business arm to suppress competition".
Worryingly, Check Point Research also discovered 11 apps on the Google Play store that contained a dormant version of this malware. The keyword "infect" would switch the malware from an ads server to what the researchers called a "malicious payload delivery".
"Evidence implies that the “Agent Smith” actor is currently laying the groundwork, increasing its Google Play penetration rate and waiting for the right timing to kick off attacks," said their analysis, adding that the two of the infected apps had already been downloaded 10 million times. (Google has since removed the suspected apps from the Play Store.)