‘Agent Smith’ malware replaces legit Android apps with fake ones on 25 million devices

Researchers from cybersecurity vendor Check Point have found a brand new type of cellular malware focusing on Android devices.

Called “Agent Smith,” the malware has been discovered to use identified vulnerabilities in Android to interchange reputable put in apps on the machine with malicious variations with out requiring customers’ intervention.

Based on their analysis, Agent Smith has been discovered to leverage its broad entry privileges to show fraudulent adverts.

Primarily focusing on devices in India, and different Asian nations like Pakistan and Bangladesh, the malware has surrepitiously affected round 25 million distinctive devices, with every sufferer struggling “roughly 112 swaps of innocent applications.” The infections have been primarily reported on devices working Android 5 and 6.

In its current type, Agent Smith is being exploited for monetary achieve by serving malicious commercials. But given its capabilities to impersonate standard Android apps, the researchers warning that “there are endless possibilities for this sort of malware to harm a user’s device.”

How does Agent Smith work?

Check Point researchers mentioned they encountered the malware in early 2019 after observing a surge of Android malware assault makes an attempt in opposition to customers in India. The assault, in itself, leverages a three-stage an infection chain with the intention to construct a botnet of devices which can be managed from a command-and-control (C&C) server to subject malicious instructions.

• The entry level is a dropper app, which the sufferer installs on an Android machine voluntarily. These are often repackaged variations of reputable apps like Temple Run with further code.
• The dropper app routinely installs a malware app — primarily an Android bundle (.APK) file — whose icon stays hidden from the house display screen launcher. They additionally escape detection by disguising themselves as Google associated updaters.
• The core malware APK extracts the listing of put in apps on the machine, and scans it in opposition to a “prey list” of apps — both hard-coded or issued from the C&C server. If it finds a match, it extracts the bottom APK file of the goal app, patches the APK with malicious advert modules, and installs the brand new ‘copycat’ model of the app as if it have been an everyday app replace.

The further code within the dropper app — known as a loader — is principally meant to extract and cargo a “core” module, which communicates with the C&C server to fetch the listing of standard apps to scan the machine for.

It consists of among the hottest apps utilized in India like WhatsApp, SHAREit, MX Player, JioTV, Flipkart, Truecaller, Dailyhunt, Hotstar (a video streaming service operated by Star India, a subsidiary of Walt Disney), and extra.

Upon discovering the goal app on the Android machine, the “core” module then takes benefit of the identified Janus vulnerability — beforehand reported by Belgium-based safety agency GuardSquare in 2017 — to interchange any…