Beware of “Agent Smith” malware,25 million devices affected

Recently researchers from Check Point discovered a new variant of mobile malware that infected around 25 million devices. In early 2019, the Check Point Research team observed a surge of Android malware attack attempts against users in India which had strong characteristics of Janus vulnerability abuse, In this post,we take look at the key points and precautions to be taken against “Agent Smith” malware.

#1.How it Works

1. A dropper app (ex.Look a like of photo utility, games, or sex related apps) lures victim to install itself voluntarily.
2. Dropper automatically decrypts and installs its core malware APK that later conducts malicious patching and app updates. The core malware would mostly be looking like Google Updater, Google Update for U or “com.google.vending”. The core malware’s icon is hidden.
3. Core malware then extracts the device’s installed app list. If it finds apps on its prey list (hard-coded or sent from some other server), it will extract the base APK of the target innocent app on the device and  patch the APK with malicious ads modules, install the APK back and replace the original one as if it is an update.

#2.Default app list that “Agent Smith” malware uses

“Agent Smith” gets the fresh list of applications to search for, or if that fails, it would use below default app list:

• whatsapp
• lenovo.anyshare.gps
• mxtech.videoplayer.ad
• jio.jioplay.tv
• jio.media.jiobeats
• jiochat.jiochatapp
• jio.join
• good.gamecollection
• opera.mini.native
• startv.hotstar
• meitu.beautyplusme
• domobile.applock
• touchtype.swiftkey
• flipkart.android
• cn.xender
• eterno
• truecaller

For each application on the list, “Agent Smith” infects the application using any of the available methods.After all of the required changes, “Agent Smith” compiles the application and builds a DEX file (executable file that contains compiled code for Android platform) containing both the original code of the original application + malicious payload.

Finally “Agent Smith” builds another APK file apart from the original APK file using Janus vulnerability:

“Agent Smith” would then replace the original application’s activities with an in-house SDK’s activity, which will show the ad banner received from the server.

The “Agent Smith” campaign is primarily targeted at Indian users, who represent 59% of the impacted population.

Check Point Research reported these dangerous apps to Google. Currently, all bespoke apps have been taken down from the Google Play store.

#3.Do take adequate precautions while installing updates/new app

1. Read up on the type of mobile app you’re looking for, and on the particular mobile app you’re considering
2. Take the time to walk through the app permissions.Check if the app description in the app store or on the developer’s website explains why it needs this permission, or contact the developer directly.According to Symantec,these are the risky permissions :
   • Location tracking
   • Camera access
   • Audio recording
   • Phone logs access (read)
   • SMS messages access (read)
3. Download only  from Apple App Store and Google Play Apps.They will probably have the cleanest, most recent version of the program.Don’t install any of third party apps or from unknown APK sources.

Like this post? Don’t forget to share it!

#4.References :

• Check Point Team detailed analysis

#5.Additional Resources :

• 10 steps to stay secure in digital world
• 9 Chrome Extensions to protect your online privacy
• 9 Best Chrome Extensions for Privacy, Internet Security and Ad Blocking