Dangerous malware replaces code in existing apps to covertly infiltrate over 25 million Android devices

Cyber-security solutions provider, Check Point Research, discovered a new variant of an existing malware that targetted Android devices.

Named “Agent Smith” — after the character from Matrix — the malware was able to mimic and replace apps installed on a device without detection. It has covertly infected around 25 million devices, including 15 million mobile devices in India alone.

To put that into perspective, the total number of devices infected by the malware make up close to 90% of the population of Malaysia.

Made in China

The researchers have reason to believe that “Agent Smith” originated from a Chinese internet company located in Guangzhou with a front that claimed to offer services that help Chinese Android developers publish and promote their apps globally.

The malware is so advanced that it looks for popular apps installed on an Android device like WhatsApp, Opera Mini or Flipkart and then replaces the code in the app to prevent the app from being updated while at the same time exploit vulnerabilities in the system without the user’s knowledge or interaction.

Once it has successfully installed itself in a device, the malware uses the access it has to instruct the infected app to display more ads than normal or takes credit for the ads they already display. This allows the hacker responsible for the attack to make money from ad revenue.

While displaying more ads on your phone may seem harmless, Check Point Research warns that the malware could be easily altered for far more intrusive and harmful purposes such as stealing banking credentials and eavesdropping on conversations or messages.

Third-party app store

The main way the malware spreads itself is through a third-party app store called 9Apps and targeted mostly Hindi, Arabic, Russian, Indonesian speaking users. In India alone, over 15 million Android devices were infected.

Other Asian countries such as Pakistan and Bangladesh have also been impacted. There has also been a noticeable number of infected devices in the United Kingdom, Australia and the United States.

In the third-party app store, the malware would hide inside “barely functioning photo utility, games, or sex-related apps,” Check Point wrote.

The malware’s operator also appears to have attempted to make available the malicious app on the Google Play Store itself where it managed to sneak 11 apps that featured code related to a watered-down version of the malware.

“The malware attacks user-installed applications silently, making it challenging for common Android users to combat such threats on their own,” said Jonathan Shimonovich, Head of Mobile Threat Detection Research at Check Point Software Technologies.

He added that “users should only be downloading apps from trusted app stores to mitigate the risk of infection as third-party app stores often lack the security measures required to block adware loaded apps.”

The vulnerability that allowed the malware to infiltrate millions of Android devices has since been patched up. Check Point also said that it worked closely with Google to remove all the related malicious apps that existed on Play Store as well.