Malware researchers discovered a new malicious campaign for Android devices that replaces legitimate apps with tainted copies built to push advertisements or hijack valid ad events.
Around 25 million devices have already been infected with what researchers have dubbed “Agent Smith,” after users installed an app from an unofficial Android store.
Untrusted app sources
Victims are lured with the promise of photo utility, game, or adult app that carries a malicious package. Once on the devices, the bait app decrypts and installs Agent Smith.
The malware tries to hide its presence by posing as a utility from Google – Google Updater, Google Update for U or “com.google.vending,” and by concealing its icon from the user.
When a match is found, Agent Smith extracts the base APK and ads a malicious ads module. Then it replaces the original package with the tampered one, with the user being none the wiser.
To complete the update installation process, the malware exploits the Janus vulnerability, which allows bypassing an app’s signatures and add arbitrary code to it.
The result of this is that the Android user will see an innocent-looking apps spew ads. Furthermore, even the original app’s ads will be monetized by Agent Smith operators as the malware can hijack the events and pass them to the ad broker with the hackers’ campaign IDs.
Researchers at Check Point saw Agent Smith used only for pushing ads, but they say its operators may use it for more nefarious purposes, such as stealing banking credentials.
Agent Smith was observed lurking in popular third-party app stores such as 9Apps, which serves users mostly Indian, Arabic, and Indonesian users. However, infections were also seen on devices in Saudi Arabia (245k), Australia (141k), the U.K. (137k), and the U.S. (303k)
The largest number of infected devices were in India (over 15 million), followed by Bangladesh (over 2.5 million) and Pakistan (almost 1.7 million). Indonesia came fourth with about 570,000 infected devices.
The list of targeted Android applications hardcoded in the malware includes the following:
This list is used when Agent Smith cannot reach the C2 and retrieve an updated version.
The malware does not limit itself to infecting only one app, it will replace any and all that are on its target list. An infected device will be revisited over time and served the latest malicious patches, the researchers say.
Looking at the variants of the malware, analysts discovered more than 360 different dropper strains.
Agent Smith droppers
According to Check Point findings, the first signs of Agent Smith can be traced as far back as early 2016. For two years, the threat actor tested the 9Apps store as a distribution channel and published numerous apps that would serve as droppers.
Between May 2018 and April 2019, the operators began tryong out the capability to compromise legitimate apps and matured the campaign through updates, as well as by moving the infrastructure to AWS cloud services.
It seems that Agent Smith threat actors were trying to make the move to the official Android store, as researchers found 11 apps in Google Play that included “a malicious yet dormant SDK related to ‘Agent Smith’ actor.” The researchers notified Google and the bad apps were removed.