Named "Agent Smith", this malware takes advantage of known weaknesses in the Android operating system to replace applications installed on the device with malicious fake application versions. No need for user intervention.
According to the researchers, Agent Smith also takes advantage of his extensive access privileges to display phishing ads and monetize them.
This malware primarily targets devices operating in India and other Asian countries like Pakistan and Bangladesh. By this time, it had infected about 25 million devices, of which the average victim was replaced by nearly 112 applications.
Agent Smith is a common infection on devices running Android 5 and 6, most of the infection process lasts for at least 2 months.
In its current form, Agent Smith is being used by hackers to profit through malicious advertising. But considering its ability to replace popular Android applications, researchers warn that there are countless possibilities that this type of malware could harm a user's device.
How does Agent Smith work?
Check Point researchers said they met the malware early in 2019, after observing many Android malware attacks aimed at Indian users. The more complex the problem when this malware infection method is very silently, makes it extremely difficult to detect until the device has been tampered with.
Agent Smith is infected through a series of three phases to build a botnet network of multiple devices, which can be controlled from a command and control server (C&C) to execute malicious commands.
– The first phase starts with a bait release application, installed by the victim on the Android device voluntarily. They are usually repack versions of genuine applications like Temple Run with additional code.
– This dropdown application will automatically install a malware application – usually an Android installation file (APK extension) – with the icon hidden from the launcher's main screen. They also escape the detection of the system by masquerading as Google-related updates.
– The main malware in the APK file will filter out the list of installed applications on the device and compare this list with a list of fake applications (called "bait list") taken from C&C server or built-in malware. If there is a duplicate application, it will extract the application's APK file, insert malicious ad modules into this APK file, and install a counterfeit version of the application as a counter Ordinary Japanese.
Additional code in the drop application – called "loader" – is mainly used to extract and load a "core" module, which functions to communicate with the C&C server to get a list of Android applications. serve scanning on the device.
This list includes many popular applications in India such as WhatsApp, SHAREit, MX Player, JioTV, Flipkart, Truecaller, Dailyhunt, Hotstar (a video streaming service operated by Star India, a subsidiary of Walt Disney) and many other applications.
When finding a target application on an Android device, the "core" module takes advantage of the Janus vulnerability – a vulnerability discovered by Belgian security company GuardSquare in 2017 – to replace the real application with a session infected version without changing the signature of the application.
Once the infected application is installed on the device, a "boot" module in the application will extract and execute malicious content. But to prevent developers from releasing a genuine update that overwrites any changes the malware has made to the application, it will deploy a "patch" module to turn off automatic updates to the application. Use that clone.
Once everything is in place, the malware will contact the C&C server to pull down phishing ads. These C&C servers themselves helped Check Point researchers narrow down the list of domains used by hackers to transmit malicious lists and ads to infected devices.
Who is behind malware Agent Smith?
According to researchers, Agent Smith has been around since January 2016. Hackers began to use 9Apps as an adware distribution channel by creating a variety of bait release applications.
9Apps is a third-party Android application store operated by UCWeb (UCWeb acquired by Alibaba Group in 2014). One of the company's most popular products is UC Browser – a famous web browser in markets like China, India and Indonesia.
The malware campaign exploded in the second half of 2018, before a significant decline earlier this year.
Top 5 drop apps on 9Apps
In recent months, researchers have discovered 11 infected applications on the Google Play Store that contain malicious components but are in a deactivated state being exploited by Agent Smith, showing those behind them. This malware is starting to use Google's own application distribution platform to spread adware. Google has removed the above applications after receiving Check Point's report.
With the information obtained, researchers were able to relate "Agent Smith" 's offensive campaign to a Chinese – based Internet company in Guangzhou. They found that the technology company runs a business to help Chinese Android developers publish and promote their applications on foreign platforms.
But Check Point said it found ads recruiting employees to locations associated with malware Agent Smith infrastructure and has nothing to do with the company's main business.
They also revealed that "Agent Smith's prey list includes not only common applications that are affected by the Janus vulnerability to ensure the highest efficiency, but also contains many applications of conspiracy opponents to undermine competitiveness.".
"Agent Smith's bait release application uses a very greedy infection tactic "- Check Point said. "Replacing only a harmless application with an infected application is not enough for this type of malware. It does that for every application on the device as long as the app file name is in the bait list. "
The strong development of malware is also the result of 9Apps executives allowing hundreds of pre-existing applications to exist on the platform – mostly variations of image, game, or application-editing applications. Use related adult entertainment.
"Agent Smith" is particularly aimed at users in India, but researchers also found attacks in Saudi Arabia, the United Kingdom, and the United States. India alone accounts for more than 15 million infected Android devices.
In addition, the researchers found that only the five most malicious dropdown apps were downloaded more than 7.8 million times, and Samsung and Xiaomi devices were the most infected devices. in India.
This is not the first time an attacker takes advantage of third-party application delivery mechanisms to infect malware. Besides taking advantage of a previously patched flaw, the concern is that malware drivers are laying the foundation for a distribution campaign through Android's official app store.
"AOSP has patched the Janus vulnerability since Android 7 by introducing APK Signature Scheme V2. However, in order to prevent abuse of Janus, application developers need to sign their applications with a new program so that Android can conduct application integrity checks with advanced features "- researchers say.
It should be emphasized that devices running older versions of Android can easily be affected by many types of attacks. But the research results also show that system developers need to collaborate with device manufacturers, application developers, and users, so that patches are distributed, deployed, and installed. timely.
"Although the guys behind Agent Smith decided to make illegal profits with the use of advertising, others could implement methods that have a higher level of abuse and a higher level of danger. Today, malware may display unwanted ads, but it may steal sensitive information tomorrow; from private messages to bank login information and more "- The researchers concluded.