Researchers from cybersecurity vendor Check Point have discovered a new kind of mobile malware targeting Android devices.

Dubbed Agent Smith, the malware has been found to exploit known weaknesses in the Android operating system to replace legitimate installed apps on the device with malicious versions without requiring users’ intervention.

Based on their research, Agent Smith has been found to leverage its broad access privileges to display fraudulent ads and profit off them.

Primarily targeting devices in India, and other Asian countries like Pakistan and Bangladesh, the malware has surrepitiously affected around 25 million unique devices, with each victim suffering “roughly 112 swaps of innocent applications.”

The infections were mainly reported on devices running Android 5 and 6, with most  infections lasting for a period of at least two months.

In its present form, Agent Smith is being exploited for financial gain by serving malicious advertisements. But given its capabilities to impersonate popular Android apps, the researchers caution that “there are endless possibilities for this sort of malware to harm a user’s device.”

How does Agent Smith work?

Check Point researchers said they encountered the malware in early 2019 after observing a surge of Android malware attack attempts against users in India. Complicating the matter is its stealthy infection methodology, which makes it hard to detect until a device has been compromised.

It leverages a three-stage infection chain in order to build a botnet of devices that are controlled from a command-and-control (C&C) server to issue malicious commands.

  • The entry point is a dropper app, which the victim installs on an Android device voluntarily. These are usually repackaged versions of legitimate apps like Temple Run with additional code.
  • The dropper app automatically installs a malware app — essentially an Android package (.APK) file — whose icon remains hidden from the home screen launcher. They also escape detection by disguising themselves as Google-related updaters.
  • The core malware APK extracts the list of installed apps on the device, and scans it against a “prey list” of apps — either hard-coded or issued from the C&C server. If it finds a match, it extracts the base APK file of the target app, injects the APK with malicious ad modules, and installs the new ‘copycat’ version of the app as if it were a regular app update.

Credit: Check Point Research

The additional code in the dropper app — called a loader — is mainly meant to extract and load a “core” module, which communicates with the C&C server to fetch the list of Android apps to scan the device for.

It includes some of the most popular apps used in India like WhatsApp, SHAREit, MX Player, JioTV, Flipkart, Truecaller, Dailyhunt, Hotstar (a video streaming service operated by Star India, a subsidiary of Walt Disney), and more.

Upon finding the target app on the Android device, the “core” module then takes advantage of the known Janus vulnerability — previously reported by Belgium-based security firm GuardSquare in 2017 — to replace the legitimate application with an infected version, but without altering the app’s signature.

Once the infected app has been installed on the device, a “boot” module in the app extracts and executes the malicious payload. But to prevent a real update from the developer overwriting all the changes done to the app, a “patch” module cleverly disables automatic updates for the copycat application.

With everything in place, the malicious payload now requests the C&C server to serve malware-ridden ads. The C&C servers, in turn, helped Check Point researchers narrow down the domains used by the threat actor for delivering prey list and rogue ads to the infected devices.

Who is the threat actor?

According to the researchers, Agent Smith has been around since January 2016. Hackers began to use 9Apps as a distribution channel for adware by building an array of dropper apps.

9Apps is a third-party Android app store backed by UCWeb, which Alibaba Group acquired in 2014. One of its most popular products is UC Browser — a web browser app with a strong presence in markets like China, India, and Indonesia.

The malware campaign, which began as a series of garden-variety adware blasts, intensified during the later half of 2018, before dropping significantly earlier this year.

Credit: Check Point Research