How to Spot and Remove Agent Smith Malware on Android
What Is Agent Smith Malware?
Agent Smith is a modular malware that exploits a series of Android vulnerabilities to replace legitimate existing apps with malicious imitation. The malicious app doesn’t steal data. Instead, apps replaced display a huge number of adverts to the user or steal credit from the device to pay for adverts already served.
The malware carries the “Agent Smith” moniker, the same name as the infamous Matrix character who is characterized as a virus. The Check Point research team reason that the methods the malware uses to propagate are similar to Agent Smith’s techniques in the film series.
Moreover, Agent Smith has infected a huge number of devices. India has by far the most infections. The Check Point research indicates some 15 million devices carrying Agent Smith. The next closest country is Bangladesh, with around 2.5 million devices infected. There were over 300,000 Agent Smith infections in the US and around 137,000 in the UK.
How Does the Agent Smith Malware Work?
Check Point Research believes the Agent Smith malware originates from a Chinese company that helps Chinese Android developers publish and promote apps in foreign markets.
The malware first appeared on the third-party app store “9Apps.” The third-party app store targets Indian, Arabic, and Indonesian users, explaining the significant number of infections in those areas.
Agent Smith malware works in three phases.
A dropper app lures the victim to install the malware voluntarily. The initial dropper contains encrypted malicious files and usually takes the form of “barely functioning photo utility, games, or sex-related apps.”
The dropper decrypts and installs the malicious files. The malware uses Google Updater, Google Update for U, or “com.google.vending” to disguise its activity.
The core malware creates a list of installed apps. If an app matches its “prey list,” it patches the target app with a malicious advertising module, replacing the original as if it was a simple app update.
The prey list includes WhatsApp, Opera, SwiftKey, Flipkart, and Truecaller, among others.
Interestingly, Agent Smith bundles together several Android vulnerabilities, including Janus, Bundle, and Man-in-the-Disk. The combination creates a 3-stage infection process allowing the malware distributor to build a monetized (via adverts) botnet. The Check Point research team believes Agent Smith is “possibly the first campaign seen that integrates and weaponized” all the vulnerabilities together, making the malware “as malicious as they come.”
Agent Smith Malware Modules
Agent Smith malware uses a modular structure to infect targets, consisting of:
- Loader
- Core
- Boot
- Patch
- AdSDK
- Updater
The dropper is a repackaged legitimate application that also contains a malicious loader.
The loader extracts and runs the Core module, which in turn communicates with the malware command and control (C&C) server. The C&C server sends the prey list. If any apps are found, the malware uses a vulnerability to inject the Boot module into the repackaged application.
The next time the infected application starts, the Boot module runs the Patch module, which uses the AdSDK module to introduce the adverts and begin generating revenue.
Another interesting element of Agent Smith is that it doesn’t stop at one malicious app. If Agent Smith finds multiple app matches on the prey list, it will replace each one with a malicious version. Agent Smith also issues malicious update patches to the repackaged apps, keeping the infection going, and serving new advertising packages.
Removing Agent Smith Apps From Google Play
The main point of infection for Agent Smith was a third-party app store, 9Apps. However, Google Play wasn’t untouched. Check Point discovered 11 apps on the Google Play store containing a “malicious yet dormant” set of files relating to the Agent Smith actor. The Google Play versions of Agent Smith use a slightly different propagation technique but have the same end-goal.
Check Point reported the malicious apps to Google, and all were removed from the Google Play store.
