Malware scientists revealed a new malicious drive for Android devices that swaps genuine apps with forged copies built to thrust advertisements or capture legal ad events.
Approximately 25 million devices have already been affected by “Agent Smith,” malware after users installed an app from an unofficial Android store.
Victims are enticed with the promise of photo utility, game, or adult app that contains a malicious suite. Once on the devices, the lure app decrypts and connects Agent Smith.
The malware tries to conceal its presence by posing as a utility from Google – Google Updater, Google Update for U or “com.google.vending,” and by hiding its icon from the user.
In the next phase, the malware checks for apps on the device that are also on a list that is either hardcoded or received from the command and control server (C2).
When a match is discovered, Agent Smith pulls out the base APK and ads a malicious ads module. Then it replaces the original package with the tinkered one, with the user being none the sager.
It’s believed that a China-based company developed the malware in order to monetize its efforts by serving malicious adv.
To complete the update installation procedure, the malware exploits the Janus flaw, which lets sidestepping an app’s signatures and add random code to it.
Consequently, the Android user will see gullible-looking apps spew ads. Also, even the original app’s ads will be monetized by Agent Smith operators as the malware can capture the events and pass them to the ad broker with the hackers’ campaign IDs.
Researchers at Check Point believe that Agent Smith is used only for pushing ads, but they say its operators may use it for more wicked purposes, such as stealing banking IDs.
According to Check Point conclusions, the first signs of Agent Smith can be found as far back as early 2016. For two years, the threat actor tested the 9Apps store as a distribution channel and published many apps that would serve as droppers.