Do you see an ad popping up while opening WhatsApp? If yes, then you are hit by a new malware called ‘Agent Smith’. The newly discovered Android malware has already infected 2.5 crore devices with most of the victims located in India where as many as 1.5 crore devices are infected. Even in the US, nearly 3 lakh devices are said to be infected, making it one of the worst attacks on the Android operating system in recent memory.
Check Point’s researchers named the malware “Agent Smith” because of the methods it uses to attack a device and avoid detection.
The malware doesn’t steal data from a user. Instead, it hacks apps and forces them to display more ads or takes credit for the ads they already display so that the malware’s operator can profit off the fraudulent views, but could easily be used for far more intrusive and harmful purposes such as banking credential theft and eavesdropping.
Check Point says the malware looks for known apps on a device, such as WhatsApp, Opera Mini, or Flipkart, then replaces portions of their code and prevents them from being updated. This activity resembles previous malware campaigns such as Gooligan, Hummingbird, and copycat, Check Point added.
In general, the malware gets injected when a user downloads an app from a third party app store. The app installs the malware, masked as a legitimate Google updating tool. The installed app does not show off an icon on the screen. The legitimate apps like WhatsApp are then altered and replaced with a malicious update which then serves ads.
Malware has spread as several users give official Google Play Store a miss and download apps from third-party app stores like 9apps.com. It is targeted at mostly Hindi, Arabic, Russian, Indonesian speaking users. “So far, the primary victims are based in India through other Asian countries such as Pakistan and Bangladesh have also been impacted. There has also been a noticeable number of infected devices in the United Kingdom, Australia, and the United States,” said Check Point.
The malware is capable of hiding its icon from the phone’s launcher and can pose as any popular app like WhatsApp to serve advertisements. This is just one of the possible ways the malware can use the affected device to send money back to the hackers, as per a typical pay-per-click system.
Check Point says a key vulnerability that Agent Smith relies on was patched several years ago in Android. But developers need to update their apps in order to take advantage of the added protection. Evidently, many have not.
Based on its research, Check Point believes that a Chinese firm operating in the city of Guangzhou is the main culprit behind the attacks. The name of the company has been redacted from its publication, and information related to the attacks has been provided to law enforcement officials, as well as Google, to assist them in further investigation.
Although this form of malware was initially only spread through 9Apps, the researchers discovered traces of the malicious actors looking to spread their system to Play Store applications as well. During the search, 11 Play Store apps were found to be connected to the attackers. However, Check Point does state that it has worked closely with Google to remove all of these from the Play Store.