A new smartphone malware called "Agent Smith" has been found that has infected 25 million devices worldwide, including 15 million in India, Check Point Research claims. The malware disguises itself as a Google-related application and then replaces installed applications with malicious versions of them using known Android vulnerabilities without users' knowledge. Separately, the cyber threat intelligence firm has released the top three malware that were active in June, including Lotoor, which is mainly used to display ads, but is also able to get access to sensitive user data.
As per a press note shared by Check Point Research, the Agent Smith malware uses its access to Android devices to show fake ads for financial gain, but given its access, it can also be used for more nefarious purposes. However, it is unclear if the malware has been doing so.
Check Point Research notes that the activity of Agent Smith resembles closely to how other malware like CopyCat, Gooligan, and HummingBad have operated in the recent years. All three malware campaigns have used infected devices to generate fake ad revenue to the tune of millions of dollars.
"Disguised as a Google-related application, the malware exploits known Android vulnerabilities and automatically replaces installed apps with malicious versions without users' knowledge or interaction," the note adds.
According to the research firm, Agent Smith originated on popular third-party app store 9Apps and has targeted mainly Arabic, Hindi, Indonesian, and Russian speakers. Majority of the malware's victims are based in India and neighbouring countries like Bangladesh and Pakistan. Check Point Research has also found infected devices in countries like Australia, UK, and USA.
Some of the apps that have been used to infect devices via 9Apps store are Color Phone Flash – Call Screen Theme, Photo Projector, Rabbit Temple, Kiss Game : Touch Her Heart, and Girl Cloth XRay Scan Simulator.
This is not all, after the initial attack vector via 9Apps, the creators of Agent Smith moved to Google Play Store and were able to push at least 11 malware laden app in the store. The apps included Blockman Go: Free Realms & Mini Games by Blockman Go Studio, Cooking Witch by Ghost Rabbit, Ludo Master – New Ludo Game 2019 For Free by Hippo Lab, Angry Virus by A-Little Game, Bio Blast – Infinity Battle: Shoot virus! by Taplegend, Shooting Jet by Gaming Hippo, Gun Hero: Gunman Game for Free by Simplefreegames, Clash of Virus by BrainyCoolGuy, Star Range by A-little Game, Crazy Juicer – Hot Knife Hit Game & Juice Blast by Mint Games Global, and Sky Warriors: General Attack.
Some of the infected Google Play apps and games had over 100,000 installs, however two of them managed to clock over 10 million installs. Google has removed all the apps from Google Play, however if you have any of these apps installed you are most likely infected by the Agent Smith malware. You can remove the malware-laden app by going to Settings > Apps and uninstalling the app.
Check Point Research says the Android users should only use trusted app stores to download apps as "third party app stores often lack the security measures required to block adware loaded apps." You can find technical analysis of the Agent Smith malware on Check Point blog.
In a separate press note, Check Point Research says Lotoor, Triada, and Ztorg topped the mobile malware list in June. While Lotoor's main function is displaying ads, Triada is a modular backdoor for Android, which grants super user privileges to downloaded malware. Ztorg, on the other hand, obtains escalated privileges on Android devices and install itself in the system directory. The malware is also able to install any other application on the device.