FE Today Logo

New Android malware discovered

Majority of victims located in India, Bangladesh, Pakistan

July 12, 2019 00:00:00

A new Android malware strain has been discovered that can infect devices and replace legitimate apps with clones that show a deluge of ads for a criminal group's profits, according to a report by www.zdnet.com.

The malware, named Agent Smith, has made over 25 million victims, according to a report shared with ZDNet before publication by cyber-security firm Check Point.

The vast majority of victims are located in India (15.2 million), Bangladesh (2.5 million), and Pakistan (1.7 million), and most users remain infected for a period of at least two months.

Check Point, who discovered this malware earlier this year, says it tracked down its operators to a Chinese tech company located in the city of Guangzhou.

The company, researchers said, operates a front-end legitimate business that helps Chinese Android app developers publish and promote their apps on overseas platforms.

However, Check Point said it found ads for job roles that were consistent with operating the Agent Smith malware infrastructure and had no connection to the company's real business.

The job listings were posted starting with 2018 when Check Point says the first versions of the malware also started appearing. Researchers didn't share any other details about the company, citing an ongoing law enforcement investigation.

As for the malware itself, there is worrying news for Android users.

While the current form of the Agent Smith malware appeared in early 2018 and has been around for more than a year, for most of its time, it was only distributed via boobytrapped Android apps uploaded on 9Apps, an independent Android app store managed by UCWeb, the developer behind the UC Browser Android browser.

However, Check Point said that during recent months, apps infected with components used in the deployment of the Agent Smith malware have also begun appearing on the Google Play Store.

The company said it detected 11 such apps already, showing that the malware operators are setting up the base for a distribution campaign leveraging the official Android app store.

"Evidence implies that the 'Agent Smith' actor is currently laying the groundwork, increasing its Google Play penetration rate and waiting for the right timing to kick off attacks," Check Point said.

"By the time of this publication, two [Agent Smith] infected apps have reached 10 million downloads while others are still in their early stages."

Fortunately, Check Point has sabotaged this early deployment, reporting the infected apps to Google's security team, who intervened and removed all apps.

But despite this early takedown, Android users shouldn't feel safe. The Agent Smith malware is incredibly hard to detect and also has a novel structure and infection methodology that makes it hard to detect until it's too late, and a phone has been compromised.

The malware, which first appeared in 2016, but worked like any other boring adware that blasted users with ads, morphed into a highly complex operation in 2018.

Share if you like