A new variant of mobile malware dubbed “Agent Smith” has already infiltrated more than 25 million Android devices mainly in India, Pakistan and Bangladesh. Check Point researchers discovered the malware disguised as a Google-related application that uses known Android exploits and automatically replaces installed apps with malicious clones without users’ knowledge or interaction. The malware’s behavior resembles previous campaigns, such as Gooligan, HummingBad and CopyCat.

Currently the “Agent Smith”’s operators are leveraging the malware with the purpose of earning money through the use of malicious advertisements, but it could easily be used in more intrusive and harmful attacks such as banking credential theft due to its ability to hide it’s icon from the launcher and disguise itself as any popular apps installed on a device.

The Agent Smith malware masquerades itself as utility apps (i.e. photo editing), adult entertainment, or gaming, it is spread through third-party app stores, such as “9Apps”, a UC team backed store, targeted mostly at Indian (Hindi), Arabic, and Indonesian users. The initial dropper automatically decrypts and installs its core malware APK, which is usually disguised as Google Updater, Google Update for U or “com.google.vending”. The core malware extracts the device’s installed app list and upon finding the apps of interest it extracts the APK’s of legitimate apps, injects malicious ads modules and then reinstalls the APK. To inject the malicious code the Android malware leverages several Android known vulnerabilities, including the Janus flaw, which allows bypassing an app's signatures and add arbitrary code to it. 

Although the malware mainly focused on India (over 15 million), Bangladesh (over 2.5 million), and Pakistan (almost 1.7 million), infections were also seen on devices in Saudi Arabia (245k), Australia (141k), the U.K. (137k), and the U.S. (303k). The researchers believe “Agent Smith” malware was developed by a China-based firm that uses it as a means to make a financial gain.

According to Check Point report, the malware has been active since early 2016. For two years its operators have been testing the grounds and using 9Apps store as a distribution channel, but it appears that they have decided to expand into official Google Play store. The researchers found at least 11 infected apps on the Google Play that contain a malicious yet dormant SDK related to the “Agent Smith” campaign. Check Point informed Google and all the tainted apps were removed.