Kofi Anash 
Updated July 17th, 2019
A new variant of mobile malware dubbed “Agent Smith” has already infected 25 million devices, 15 million of which are in India.
Check Point researchers discovered the malware disguised as a Google-related application that leverages known Android exploits and automatically replaces installed apps with malicious imitations without users’ knowledge or interaction, according to a July 10 blog post.
The malware’s behavior is similar to the Gooligan, Hummingbad and CopyCat campaigns, the post added.
Currently, the malware uses its botnet to display fraudulent ads for financial gain, but researchers noted that threat actors can easily use the malware in more intrusive attacks such as for banking credential theft and eavesdropping.
“The malware attacks user-installed applications silently, making it challenging for common Android users to combat such threats on their own,” Check Point Software Technologies Head of Mobile Threat Detection Research Jonathan Shimonovich said in the post.
“Combining advanced threat prevention and threat intelligence while adopting a ‘hygiene first’ approach to safeguard digital assets is the best protection against invasive mobile malware attacks like “Agent Smith”.
The malware was initially downloaded via the popular third-party app store 9Apps and targeted mostly Hindi, Arabic, Russian, Indonesian speaking users.
It has since grown to include other Asian countries including Pakistan and Bangladesh along with a noticeable number of devices in the United Kingdom, Australia and the United States.
“Rogue software posing as the original, legitimate piece of software with the intention of luring users to install it and therefore infect their computers is a common practice criminals use, “Synopsis Senior Security Engineer Boris Cipot.
“With the most modern mobile devices, downloading and installing apps is essentially a 5-second act which makes the risk of installing malware even bigger if you’re not careful—once you’ve confirmed the install, it’s too late to change your mind.”
Cipot added that the use of software and functionalities from millions of developers—and for free in many cases—is a widely accepted practice, but users must consider the hidden dangers of threat actors gaining access to many user interaction points via this practice.
Users should also beware that not every app store takes the initiative to enforce software development principles and naming conventions to minimise the likelihood of malicious actors’ ability to place rogue applications within app stores.
