Agent Smith malware silently infects mobile devices

Read time 3min 40sec

Researchers at Check Point have discovered a new variant of a mobile malware that has silently infected some 25 million devices, without the users’ knowledge, and is spreading rapidly.

The core part of the malware, which is disguised as a Google-related application, exploits various known Android vulnerabilities and automatically replaces installed apps on the device with malicious versions without the user’s intervention.

Dubbed 'Agent Smith' after a character in the classic Matrix trilogy, who describes the human race as a species that multiplies until every resource is consumed, the malware uses its broad access to the device’s resources to show fraudulent ads for financial gain. 

Its activity resembles previous campaigns such as Gooligan, Hummingbird and CopyCat. All smartphones updated beyond even Android v.7 can be affected.

In this instance, Agent Smith is being used for monetary gain through the use of malvertising or malicious advertisements. 

“However, it could easily be used for far more intrusive and harmful purposes such as banking credential theft and eavesdropping. Indeed, due to its ability to hide its icon from the launcher and impersonate existing user-trusted popular apps, there are endless possibilities for this sort of malware to harm a user’s device,” the researchers said.

What it does

The malware has primarily three phases in its attack flow. Firstly, the threat actor tricks users into downloading a dropper application from an app store such as 9Apps. These droppers are usually posing as legitimate free games, utility applications or adult entertainment applications. However, they contain an encrypted malicious payload. The dropper application then checks if any popular applications, such as WhatsApp, MXplayer, ShareIt and more from the attacker’s pre-determined list, are installed on the device. If any targeted application is found, Agent Smith will then attack those innocent applications at a later stage.

In the next phase, once the dropper has gained a foothold on the target device, it automatically decrypts the malicious payload into its original form – an Android installation file (APK) file which serves as the core part  of the malware’s attack. The dropper then abuses several known system vulnerabilities to install the core malware without any user intervention needed.

In the final phase, the core malware conducts attacks against each installed application on the phone which appears on its target list. Agent Smith quietly extracts a given innocent application’s APK file, patches it with extra malicious modules and finally abuses a further set of system vulnerabilities to silently swap the innocent version with a malicious one.

Lacking security measures

According to Check Point, it is unsurprising that the malware has reached such a high infection rate, as third-party stores often lack the appropriate security measures to block apps that are loaded with adware. This stands as a reminder to all users that apps should only be downloaded from trusted app stores to mitigate the risk of infection.

Moreover, given that Agent Smith’s main approach is to attack user installed applications from third party app stores silently, it is not easy for the average Android user to defend themselves. 

“An advanced threat prevention solution should detect and block the malicious version of these apps from being installed, while alerting the user to the suspicious attempted activity. In addition, adopt a ‘hygiene first’ approach to protecting your organisation’s digital assets,” the security giant advises.

What to do

Check Point advises anyone who has been infected to follow these steps to remove the malicious apps:

For Android

1. Go to Settings Menu

2. Click on Apps or Application Manager

3. Scroll to the suspected app and uninstall it.

If it can’t be found, then remove all recently installed apps.

For iPhone

1. Go to Settings Menu

2. Scroll to ‘Safari’

3. On the list of options, ensure that ‘block pop-ups’ is selected.

4. Then go to ‘Advanced’ -> ‘Website Data’.

5. For any unrecognised sites listed, delete this site.


Login with