Personal Development Category (English)728x90

Beware of “Agent Smith” malware,25 million devices affected

Disclosure: This page uses affiliate links.When you click an affliate link,we get a small compensation at no cost to you.Thanks for your support!Learn more

Recently researchers from Check Point discovered a new variant of mobile malware that infected around 25 million devices. In early 2019, the Check Point Research team observed a surge of Android malware attack attempts against users in India which had strong characteristics of Janus vulnerability abuse, In this post,we take look at the key points and precautions to be taken against “Agent Smith” malware.

Agent Smith

Image – Agent Smith / Source –

#1.How it Works

  1. A dropper app (ex.Look a like of photo utility, games, or sex related apps) lures victim to install itself voluntarily.
  2. Dropper automatically decrypts and installs its core malware APK that later conducts malicious patching and app updates. The core malware would mostly be looking like Google Updater, Google Update for U or “”. The core malware’s icon is hidden.
  3. Core malware then extracts the device’s installed app list. If it finds apps on its prey list (hard-coded or sent from some other server), it will extract the base APK of the target innocent app on the device and  patch the APK with malicious ads modules, install the APK back and replace the original one as if it is an update.

Image – Agent Smith’s Attack Flow / Source – Checkpoint site

#2.Default app list that “Agent Smith” malware uses

“Agent Smith” gets the fresh list of applications to search for, or if that fails, it would use below default app list:

  • whatsapp
  • lenovo.anyshare.gps
  • jiochat.jiochatapp
  • jio.join
  • good.gamecollection
  • startv.hotstar
  • meitu.beautyplusme
  • domobile.applock
  • touchtype.swiftkey
  • cn.xender
  • eterno
  • truecaller

For each application on the list, “Agent Smith” infects the application using any of the available methods.After all of the required changes, “Agent Smith” compiles the application and builds a DEX file (executable file that contains compiled code for Android platform) containing both the original code of the original application + malicious payload.

Finally “Agent Smith” builds another APK file apart from the original APK file using Janus vulnerability:

Subscribe to Emails

More than 100,000 subscribers across the world trust & read Upnxtblog articles. Subscribe to emails updates!
* indicates required

Image – Infected APK file structure

“Agent Smith” would then replace the original application’s activities with an in-house SDK’s activity, which will show the ad banner received from the server.

The “Agent Smith” campaign is primarily targeted at Indian users, who represent 59% of the impacted population.

Devops Engineer Masters Program will make you proficient in DevOps principles like CI/CD, Continuous Monitoring and Continuous Delivery, using tools like Puppet, Nagios, Chef, Docker, Git & Jenkins. It includes training on Linux, Python, Docker, AWS DevOps Certification Training and Splunk. The curriculum has been determined by extensive research on 5000+ job descriptions across the globe.
New customer offer! Top courses from $13.99 when you first visit Udemy

Image – Agent Smith Infection heat map

Image – Slice of affected Google Playstore apps

Recover over 700 unique file formats. Fully recover documents, emails, photos, videos, audio files and more. Supports 8 different data lost scenarios: deleted files recovery, recycle bin recovery, formatted drive recovery, lost partition recovery, externa

Check Point Research reported these dangerous apps to Google. Currently, all bespoke apps have been taken down from the Google Play store.

#3.Do take adequate precautions while installing updates/new app

  1. Read up on the type of mobile app you’re looking for, and on the particular mobile app you’re considering
  2. Take the time to walk through the app permissions.Check if the app description in the app store or on the developer’s website explains why it needs this permission, or contact the developer directly.According to Symantec,these are the risky permissions :
    • Location tracking
    • Camera access
    • Audio recording
    • Phone logs access (read)
    • SMS messages access (read)
  3. Download only  from Apple App Store and Google Play Apps.They will probably have the cleanest, most recent version of the program.Don’t install any of third party apps or from unknown APK sources.

Like this post? Don’t forget to share it!

#4.References :

#5.Additional Resources :

Beware of "Agent Smith" malware,25 million devices affected
Article Name
Beware of "Agent Smith" malware,25 million devices affected
In this post,we take look at the key points and precautions to be taken against "Agent Smith" malware.
Publisher Name
Publisher Logo

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: