Researchers are warning of a new Android malware campaign that has already compromised a staggering 25 million devices via a popular third-party app store.
Dubbed “Agent Smith” by Check Point, the threat spreads by disguising itself as a legitimate Google application made available on the 9Apps marketplace run by Alibaba’s UCWeb.
If downloaded, it replaces legitimate apps on the phone with malicious versions which display fraudulent pop-up ads to generate illicit profits for the malware authors.
The vast majority (15m+) of infected devices are located in India, followed by Bangladesh (2.5m) and Pakistan (1.7m), although over 300,000 are located in the US and a large number of UK users are also affected.
Those behind the threat have worked hard to circumvent Android security controls, weaponizing multiple loopholes in a three-stage infection chain similar to malware like CopyCat, Hummingbad and Gooligan, according to Check Point.
The first stage involves a dropper app designed to lure the victim into downloading – usually a “barely functioning” photo utility, game or sex-related application.
Once downloaded, this app will decrypt and install a core malicious APK which carries out the updates to legitimate apps on the user’s phone. This malware is disguised as a Google Update app or similar.
“The core malware extracts the device’s installed app list. If it finds apps on its prey list (hard-coded or sent from C&C server), it will extract the base APK of the target innocent app on the device, patch the APK with malicious ads modules, install the APK back and replace the original one as if it is an update,” Check Point continued.
“Agent Smith repacks its prey apps at smali/baksmali code level. During the final update installation process, it relies on the Janus vulnerability to bypass Android’s APK integrity checks. Upon kill chain completion, Agent Smith will then hijack compromised user apps to show ads.”
Although first detected as simple adware back in 2016, the threat evolved into something far more sophisticated a couple of years later. It has been traced back to a Chinese company which Check Point claimed has a legitimate front-end business promoting local Android developers on overseas platforms.
Tellingly, the Guangzhou-based firm is said to have advertised for Android reverse engineers in 2018.
Although the current version of the threat monetizes infection through ads, things could get worse, Check Point warned.
“With the ability to hide its icon from the launcher and hijack popular existing apps on a device, there are endless possibilities to harm a user’s digital [and] even physical security,” the vendor argued. “Today this malware shows unwanted ads, tomorrow it could steal sensitive information; from private messages to banking credentials and much more.”
Various elements of Agent Smith have also been discovered in apps on Google Play, indicating the malware authors are looking to spread their campaign even further. Check Point notified Google of 11 such apps, including two Jaguar Kill Switch infected apps which had already garnered 10 million downloads.
These have all now been removed, but the researchers urged greater use of on-device threat prevention and “attention and action from system developers, device manufacturers, app developers, and users, so that vulnerability fixes are patched, distributed, adopted and installed in time.”