‘Agent Smith’ malware has replaced Android apps’ code on 25 million devices

A newly discovered piece of Android malware that replaces portions of apps with its own code has infected more than 25 million devices, according to security firm Check Point. Check Point’s researchers named the malware “Agent Smith” because of the methods it uses to attack a device and avoid detection.

The malware doesn’t steal data from a user. Instead, it hacks apps and forces them to display more ads or takes credit for the ads they already display so that the malware’s operator can profit off the fraudulent views. Check Point says the malware looks for known apps on a device, such as WhatsApp, Opera Mini, or Flipkart, then replaces portions of their code and prevents them from being updated.

Agent Smith has primarily infected devices in India and other nearby countries. That’s because the main way it’s spread is through a third-party app store called 9Apps that’s popular in that region. The malware would be hidden inside “barely functioning photo utility, games, or sex-related apps,” Check Point writes. After a user downloaded one, the malware would disguise itself as a Google-related app, with a name like “Google Updater,” and then begin the process of replacing code.

Despite its focus on India, which accounts for 15 million infections, Check Point says the malware also made its way to the US where more than 300,000 devices were infected. The malware’s operator also seems to have attempted to expand into the Google Play Store, sneaking in 11 apps that included code related to a simpler version of the malware. The malware remained dormant, though, and Check Point says Google has now removed all of the discovered malicious apps.

Check Point says a key vulnerability that Agent Smith relies on was patched several years ago in Android. But developers need to update their apps in order to take advantage of the added protections. Evidently, many have not.

“This application was as malicious as they come,” Check Point writes of the malware. According to the researchers, the malware appears to be run by a Chinese company that claims to help developers publish their apps internationally.

Leave a Reply