PDFelement Anniversary Sale 40% OFF
Coursera: Build New Skills Anytime, Anywhere with 100% online courses. Start Now!
Start your future with a Business Analytics Certificate.

Beware of “Agent Smith” malware,25 million devices affected

Recently researchers from Check Point discovered a new variant of mobile malware that infected around 25 million devices. In early 2019, the Check Point Research team observed a surge of Android malware attack attempts against users in India which had strong characteristics of Janus vulnerability abuse, In this post,we take look at the key points and precautions to be taken against “Agent Smith” malware.

Agent Smith

Image – Agent Smith / Source – flimlink.com.au

#1.How it Works

  1. A dropper app (ex.Look a like of photo utility, games, or sex related apps) lures victim to install itself voluntarily.
  2. Dropper automatically decrypts and installs its core malware APK that later conducts malicious patching and app updates. The core malware would mostly be looking like Google Updater, Google Update for U or “com.google.vending”. The core malware’s icon is hidden.
  3. Core malware then extracts the device’s installed app list. If it finds apps on its prey list (hard-coded or sent from some other server), it will extract the base APK of the target innocent app on the device and  patch the APK with malicious ads modules, install the APK back and replace the original one as if it is an update.

Image – Agent Smith’s Attack Flow / Source – Checkpoint site

#2.Default app list that “Agent Smith” malware uses

“Agent Smith” gets the fresh list of applications to search for, or if that fails, it would use below default app list:

nordvpn
  • whatsapp
  • lenovo.anyshare.gps
  • mxtech.videoplayer.ad
  • jio.jioplay.tv
  • jio.media.jiobeats
  • jiochat.jiochatapp
  • jio.join
  • good.gamecollection
  • opera.mini.native
  • startv.hotstar
  • meitu.beautyplusme
  • domobile.applock
  • touchtype.swiftkey
  • flipkart.android
  • cn.xender
  • eterno
  • truecaller

For each application on the list, “Agent Smith” infects the application using any of the available methods.After all of the required changes, “Agent Smith” compiles the application and builds a DEX file (executable file that contains compiled code for Android platform) containing both the original code of the original application + malicious payload.

Finally “Agent Smith” builds another APK file apart from the original APK file using Janus vulnerability:

Use the code UFC20 during checkout for Ivacy VPN subscription plans,You'll get an additional 20% off.

Subscribe to Emails

More than 100,000 subscribers across the world trust & read Upnxtblog articles. Subscribe to emails updates!
* indicates required

Image – Infected APK file structure

“Agent Smith” would then replace the original application’s activities with an in-house SDK’s activity, which will show the ad banner received from the server.

The “Agent Smith” campaign is primarily targeted at Indian users, who represent 59% of the impacted population.

A powerful and intuitive video editing experience

Image – Agent Smith Infection heat map

Image – Slice of affected Google Playstore apps

Check Point Research reported these dangerous apps to Google. Currently, all bespoke apps have been taken down from the Google Play store.

#3.Do take adequate precautions while installing updates/new app

  1. Read up on the type of mobile app you’re looking for, and on the particular mobile app you’re considering
  2. Take the time to walk through the app permissions.Check if the app description in the app store or on the developer’s website explains why it needs this permission, or contact the developer directly.According to Symantec,these are the risky permissions :
    • Location tracking
    • Camera access
    • Audio recording
    • Phone logs access (read)
    • SMS messages access (read)
  3. Download only  from Apple App Store and Google Play Apps.They will probably have the cleanest, most recent version of the program.Don’t install any of third party apps or from unknown APK sources.

Like this post? Don’t forget to share it!

#4.References :

#5.Additional Resources :

Summary
Beware of "Agent Smith" malware,25 million devices affected
Article Name
Beware of "Agent Smith" malware,25 million devices affected
Description
In this post,we take look at the key points and precautions to be taken against "Agent Smith" malware.
Author
Publisher Name
Upnxtblog
Publisher Logo
%d bloggers like this: