Android OS is known to be one of the most vulnerable. With its customization feature and its wide array of compatible apps, malware and other malicious codes can run through Android devices with relative ease. And this is highlighted by reports claiming that a new wave of Android malware is creeping through Android devices through malicious apps.
The malware, known as Agent Smith, has already affected more than 25 million Android users around the world. The sneaky malware, as explained by IT security company Check Point, “disguised as a Google-related application, and exploits known Android vulnerabilities and automatically replaces installed apps with malicious versions without users’ knowledge or interaction.”
While the researchers said that there is no evidence found that Agent Smith collects unauthorized data, the persistence of malware in a device is enough for some threat actors to exploit the Android vulnerability it creates.
According to the researchers, Android users will go unaware that Agent Smith malware has already infected their devices because there is no direct download for it. Instead, the malware code comes after downloading games and other apps from a third-party marketplace.
The comprehensive research on Agent Smith Malware was conducted by Aviran Hazum, Feixiang He, Inbal Marom, Bogdan Melnykov, and Andrey Polkovnichenko from CheckPoint. According to the researchers, the malware strain works in three different phases.
The first phase involves a dropper app that lures victims to install itself voluntarily. The initial dropper has a weaponized Feng Shui Bundle as encrypted asset files. Dropper variants are usually barely functioning photo utility, games, or sex-related apps. “The dropper automatically decrypts and installs its core malware APK, which later conducts malicious patching and app updates. The core malware is usually disguised as Google Updater, Google Update for U, or “com.google.vending.” The core malware’s icon is hidden,” they said.
“The core malware extracts the device’s installed app list. If it finds apps on its prey list (hard-coded or sent from C&C server), it will extract the base APK of the target innocent app on the device, patch the APK with malicious ads modules, install the APK back and replace the original one as if it is an update,” they added.
The “core” module contacts the C&C server, trying to get a fresh list of applications to search for, or if that fails, use a default app list:
According to researchers, the dropper app can be downloaded and is proliferated by a third-party app marketplace called 9Apps”, a UC team backed store, targeted mostly at Indian (Hindi), Arabic, and Indonesian users.
They also revealed that the malware seems to target mainly Indian users. However, reports from the US, Australia, and other regions show that the persistence of the malware is rather global.
“Agent Smith” droppers show a very greedy infection tactic. It’s not enough for this malware family to swap just one innocent application with an infected double. It does so for every app on the device as long as the package names are on its prey list,” the researchers explained.
“Over time, this campaign will also infect the same device, repeatedly, with the latest malicious patches. This leads us to estimate there to be over 2.8 billion infections in total, on around 25 Million unique devices, meaning that on average, each victim would have suffered roughly 112 swaps of innocent applications.”
The researchers said that while Agent Smith primarily exploits users by using financial ads, it has a plethora of implications, especially on how users are not usually aware that their devices are already infected. In the end, they said that fighting malicious actors in the Android ecosystem is a community effort.
“The “Agent Smith” campaign serves as a sharp reminder that effort from system developers alone is not enough to build a secure Android eco-system. It requires attention and action from system developers, device manufacturers, app developers, and users, so that vulnerability fixes are patched, distributed, adopted and installed in time,” the researchers concluded.