New Android malware replaces legitimate apps with ad-infested doppelgangers

New "Agent Smith" malware operation is preparing to invade the Google Play Store.

Agent Smith

CNET

Best Phones for 2019

Our editors hand-picked these products based on our tests and reviews.

Read More

A new Android malware strain has been discovered that can infect devices and replace legitimate apps with clones that show a deluge of ads for a criminal group's profits.

The malware, named Agent Smith, has made over 25 million victims, according to a report shared with ZDNet before publication by cyber-security firm Check Point.

The vast majority of victims are located in India (15.2 million), Bangladesh (2.5 million), and Pakistan (1.7 million), and most users remain infected for a period of at least two months.

Malware operated by Chinese company

Check Point, who discovered this malware earlier this year, says it tracked down its operators to a Chinese tech company located in the city of Guangzhou.

The company, researchers said, operates a front-end legitimate business that helps Chinese Android app developers publish and promote their apps on overseas platforms.

However, Check Point said it found ads for job roles that were consistent with operating the Agent Smith malware infrastructure and had no connection to the company's real business.

The job listings were posted starting with 2018 when Check Point says the first versions of the malware also started appearing. Researchers didn't share any other details about the company, citing an ongoing law enforcement investigation.

Active since 2018, now targeting the Play Store

As for the malware itself, there is worrying news for Android users.

While the current form of the Agent Smith malware appeared in early 2018 and has been around for more than a year, for most of its time, it was only distributed via boobytrapped Android apps uploaded on 9Apps, an independent Android app store managed by UCWeb, the developer behind the UC Browser Android browser.

However, Check Point said that during recent months, apps infected with components used in the deployment of the Agent Smith malware have also begun appearing on the Google Play Store.

The company said it detected 11 such apps already, showing that the malware operators are setting up the base for a distribution campaign leveraging the official Android app store.

Agent Smith timeline

Image: Check Point

"Evidence implies that the 'Agent Smith' actor is currently laying the groundwork, increasing its Google Play penetration rate and waiting for the right timing to kick off attacks," Check Point said.

"By the time of this publication, two [Agent Smith] infected apps have reached 10 million downloads while others are still in their early stages."

Fortunately, Check Point has sabotaged this early deployment, reporting the infected apps to Google's security team, who intervened and removed all apps.

Agent Smith's sneaky modus operandi

But despite this early takedown, Android users shouldn't feel safe. The Agent Smith malware is incredibly hard to detect and also has a novel structure and infection methodology that makes it hard to detect until it's too late, and a phone has been compromised.

The malware, which first appeared in 2016, but worked like any other boring adware that blasted users with ads, morphed into a highly complex operation in 2018.

Since around May 2018, the Agent Smith malware started using a three-part infection mechanism that's on par with the most advanced Android malware operations known today, such as CopyCat, Gooligan, and HummingBad.

The malware relies on its operators littering an app store with benign, but fully working apps. In this particular case, the Agent Smith crew used malicious code hidden in games, utility, or adult-themed apps uploaded on the 9Apps store.

Users would download these apps, which contained a malicious component (disguised as an SDK -- a software development kit) that would later download and install another Android app package (APK) that contained the actual Agent Smith malware.

Once on an infected phone, Agent Smith would scan locally installed apps, and using an internal list of targets, would replace the original apps with ad-infected clones.

This list includes 16 app package names, with the vast majority of apps being the ones popular on the Indian market, such as various Jio and Hotstar apps, but also international apps such as WhatsApp, Lenovo's AnyShare, Opera Mini, Flipkart, and TrueCaller.

This "replacement" process is itself very complex, Check Point said. The Agent Smith malware uses the Janus technique to inject malicious code inside a legitimate app, but without affecting its MD5 file hash.

If this succeeds, Agent Smith triggers an update of the injected app, cementing the malicious code inside the legitimate app, and then blocking future app updates, so it won't be removed during a subsequent app update.

The entire process is quite stealthy and innovative, and it's very surprising seeing it used for something as banal as adware, when it's a technique you'd expect to see being used for spyware or more dangerous threats -- something that Check Point researchers are also very well aware.

"Today this malware shows unwanted ads, tomorrow it could steal sensitive information; from private messages to banking credentials and much more," they said.

A technical analysis of the Agent Smith malware is available on the Check Point website.

Related malware and cybercrime coverage: