Agent Smith attack targets mobile devices across Asia and beyond

A new mobile malware targeting Android users across India can hijack legitimate apps to deliver malicious code, researchers have warned.

The attack, dubbed ‘Agent Smith’, has reportedly affected around 25 million device users without their knowledge.

It was discovered by researchers at Check Point, who revealed that the three-stage attack is currently being exploited to deliver advertisements for financial gain.

The malware is downloaded onto the phone knowingly, usually via a “barely functioning photo utility, games, or sex-related” app, reports Check Point.

It searches for legitimate apps downloaded onto the device and replaces a portion of their code with its own.

This malicious code can then serve up ads, take credit for paid-for ads within the app, and blocks automatic updates for the infected application.

It also changes its name to a Google-related app, such as ‘Google Updater’, to trick the user.

The three-stage attack goes as follows; the dropper app is downloaded; it automatically decrypts and installs its core malware APK, disguised as a Google app, and hides the icon; finally, the malware extracts the device’s installed app list and replace certain app’s code with its own.

This malware relies, in part, on a previously discovered vulnerability dubbed ‘Janus’. Agent Smith takes advantage of those applications that haven’t been updated to protect against it.

“In this case, ‘Agent Smith’ is being used to for financial gain through the use of malicious advertisements,” the researchers wrote.

“However, it could easily be used for far more intrusive and harmful purposes such as banking credential theft.

“Indeed, due to its ability to hide its icon from the launcher and impersonate any popular existing apps on a device, there are endless possibilities for this sort of malware to harm a user’s device.”

Indian users, beware

This latest attack is mostly targeting users in India, where 15 million devices were infected, but it has been seen across Asia in countries such as Pakistan and Bangladesh, as well.

In the US, more than 300,000 devices were also discovered to be infected.

Boris Cipot, senior security engineer at Synopsys, offered some advice for Android users on how to protect themselves against rogue apps.

He said: “App stores make their best effort to promote software from developers, communities, and companies alike.

“Some have firm rules around software development principles and naming conventions (and more) minimizing the likelihood of malicious actors’ ability to place rouge applications within app stores.

“However, not all stores enforce such stringent rules; thus, allowing an opening for attack.”

Cipot added: “One way to remain vigilant against attacks is to only use app stores with strict application development policies and reviews. Be observant and cautious with regard to what you install on your mobile devices.

“Before confirming installation, have a look to see where the app comes from, if there are reliable sources reviewing the app, and investigate the default permissions.

“For instance, if a flashlight app asks permission to access your contacts, this should raise red flags. In such a case, be safe and don’t confirm the install.”

A technical deep dive into how the attack works can be found on Check Point’s research blog.

Researchers confirmed that, at the time of going public, there were no malicious ads in the Google Play store.

The team is working closely with Google on the issue and has liaised with law enforcement.

RELATED Cloned Telegram apps pose stalking risk to Iranians