"Agent Smith" infected over 25 million Android devices (2 photos)

Many companies use malwaresoftware to broadcast unauthorized advertising. Check Point specialists have identified an illegal program called “Agent Smith” that hit more than 25 million Android devices. An unauthorized replacement of legitimate applications with clone applications that spread unauthorized advertising was performed on the infected device.

Experts were able to track the developer "AgentSmith is a Chinese high-tech company specializing in promoting apps from Chinese developers. It was also determined that the start of the distribution of illegal software dates back to 2018. The first "Agent Smith" hit the Internet through the 9Apps app store associated with the developers of the mobile browser UC Browser. Most of the infected devices belong to users from Asia: 15.2 million devices in India suffered, 2.5 million in Bangladesh and 1.7 million in Pakistan. About 300 thousand of them were infected. Smartphones with outdated Android versions are susceptible to infection. - 5 and 6, for which actual OS updates are not issued for a long time.

Infected Agent Smith steel applicationsappear on the google play store. Experts have identified 11 such applications that, after reporting to Google security, were promptly removed from Google Play.

In an infected application, a malicious componentdisguised as an SDK, whose role was to download and install an entire package of applications containing Agent Smith. After installation, the malware checked the presence of installed applications, compared their list with the target list and changed them to clone programs that distribute unauthorized ads. The list had 16 applications, including WhatsApp, Lenovo AnyShare, Opera Mini, Flipkart and TrueCaller.

Such application replacement is quite complicated.A technical process that exploited the Janus vulnerability (CVE-2017-13156) on Android, which allows content to be added to the APK, bypassing digital signature protection. At the same time, “Agent Smith” blocked the updates after installing the clone program to prevent the removal of malicious code.