A new type of Android malware called Agent Smith has infected 25 million mobile phones with the goal of pushing ads or hijacking effective advertising events. Victims are tempted to download virus programs that are disguised as photo applications, porn-related apps, or games from third-party app stores, and once downloaded, they download Agent Smith.
The malware is usually disguised as a utility such as Google Updater, Google Update for U, or com.google.vending, and hides its icon from the user. Next, the malware checks the application on the target phone and then gets an update to the “patch” recognition APK with the malicious ad module. In order to complete the update installation process, the malware exploits the Janus vulnerability, which allows it to bypass Android’s APK integrity check. Janus is an Android vulnerability dating back to 2017.
“Indeed, due to its ability to hide its icon from the launcher and impersonate any popular existing apps on a device, there are endless possibilities for this sort of malware to harm a user’s device,” Check Point says in a technical report today.
Check Point said Agent Smith is lurking in third-party app stores, such as the 9App, primarily for Indian, Arab and Indonesian users. The largest number of infections is in India (more than 15 million), followed by Bangladesh (more than 2.5 million) and Pakistan (nearly 1.7 million), and Indonesia ranks fourth with 570,000 infected devices. However, infections have also been found in equipment in Saudi Arabia (245 K), Australia (141 K), the United Kingdom (137 K) and the United States (303 K).
The researchers analyzed:
“We connected the Agent Smith campaign to a Chinese internet company located in Guangzhou whose front end legitimate business is to help Chinese Android developers publish and promote their apps on overseas platforms.”