Hearing the name Agent Smith would probably make you think of the antagonist of the Matrix movies played by the highly talented Hugo Weaving. However, that is also the name now given to a notorious Android malware that has reportedly infected over 25 million devices globally, with roughly 15 million of those smartphones being in India. As discovered by the security firm Check Point Research, the malware is said to have infected numerous popular apps, including WhatsApp, Flipkart, Hotstar, and more.
The Agent Smith malware takes advantage of known Android vulnerabilities to make copies of itself and take over legitimate applications, thus the inspiration of its name. According to the intelligence gathered by the Check Point Research team, the primary source of the attack seems to be via the third-party app store “9Apps”. Furthermore, the main target for the malware appears to be South Asian countries including India, Pakistan, and Indonesia. However, a good chunk of the affected devices also belongs to developed countries such as Saudi Arabia, the UK, and the US.
What Does Agent Smith Malware Do? How does it Work?
The Agent Smith malware gains broad access to a target device and shows fraudulent ads on them for financial gains. This activity closely resembles previously detected malware campaigns such as Gooligan, CopyCat, and Hummingbird. For now, this seems the be the most of what this malware does. However, the potential risk goes beyond displaying annoying ads and can result in the attacker gaining access to confidential information such as your bank details.
The extent to which Agent Smith goes to infect a smartphone is impressively thorough. It lures unsuspecting victims into downloading a ‘dropper app.’ Such an app needs to be voluntarily downloaded and is usually dispatched via unauthorized and unregulated sources such as 9Apps. Most of these malicious dropper variants are usually games, photo utilities, or sex-related apps.
An Agent Smith dropper has an encrypted package inside that extracts and disguises itself as Google Updater, Google Update for U or “com.google.vending”, and even hides its app icon from the app drawer. It then obtains a list of installed apps, locates an application part of its prey list, extracts its base APK, infects the APK with malicious ads modules, repackages the APK, and then reinstalls it as if its an update.
According to Check Point, Agent Smith droppers have shown a rather greedy infection tactic, where infecting one innocent application is not enough. Its goal is to infect every single app on the phone that might be present on its prey list.
Who Has Been Affected?
Based on the obtained evidence, about 59 percent out of the 25 million affected devices belong to Indian owners. Sorting the list of affected devices by brand distribution reveals that 26 percent of all devices affected are from Samsung. Other popular brands infected include Xiaomi at 6.1 percent, Vivo at 5.5 percent, and OPPO at 4.4 percent. While most of the devices impacted run on Android 5 Lollipop and Android 6 Marshmallow, some affected smartphones also run on newer versions of the OS.
While most of the apps with Agent Smith droppers come from 9Apps, Check Point also discovered 11 apps on Google’s Play Store that contained dormant SDKs of the malware. Thankfully, the team was able to notify Google in time, and all of these apps have been taken down.
A few of the popular apps used in India that are likely to be part of the prey list include WhatsApp, Hotstar, Swiftkey, Applock, Flipkart, True Caller, Opera Mini, and a whole slew of Jio apps. If perhaps you have installed one of these – or any other apps – from anywhere other than the Play Store and may have seen a rise in the number of ads being pushed to you (perhaps when opening any of the apps mentioned above) you might potentially be affected. Especially if you have used 9Apps in the past, there is a good chance Agent Smith is currently on your smartphone.
Remedy Against Agent Smith Malware
There is a rather simple way to find out if the Agent Smith malware program has infected your smartphone. Head over to your settings menu and open the list of installed applications. From there, look out for app names such as ‘Google Updater’, ‘Google Installer for U’, ‘Google Powers’.
If you do find such ghost applications, then the solution is also rather simple. Uninstall all such apps that seem dubious. Also, consider reinstalling applications you think may have been affected by the malware. And it goes without saying that the reinstall process should take place over trusted app stores such as the Google Play Store, along with all future app installs.