More than 25 million Android devices infected with 'Agent Smith' malware

PSA: Security researchers have discovered a new malware infecting more than 25 million Android devices. Dubbed "Agent Smith," the code makes its way on to a device through sketchy apps and then disguises itself as a Google-related application.

According to a press release from security firm Check Point, once Agent Smith is active on the device, the malware looks for common apps and replaces them with malicious versions. The altered apps show fraudulent ads for financial gain.

"The malware attacks user-installed applications silently, making it challenging for common Android users to combat such threats on their own," said Check Point's Head of Mobile Threat Detection Research Jonathan Shimonovich.

The methods used are similar to other malware such as Gooligan, Hummingbad, and CopyCat. Check Point also says that the vector could easily be used for more nefarious and harmful purposes such as stealing bank information or spying.

So far, most of the infections have been detected in India and neighboring countries because the malware is primarily distributed through 9Apps, a third-party app store popular in the region. The malicious code generally comes hidden within a "dropper" app.

Top 5 most infectious droppers.

"A dropper app lures victim [sic] to install itself voluntarily," said Check Point. "Dropper variants are usually barely functioning photo utility, games, or sex-related apps."

More than 15 million of the infections originate from India, but around 300,000 devices in the US reportedly have the malware installed as well. According to the researchers, the bad actors, who appear to originate from China, tried to expand operations into the Google Play Store and successfully planted 11 programs infected with an altered version of the malware. Google has since removed the malicious software.

The vulnerabilities that Agent Smith relies on, Janus being one of them, were actually patched several years ago, but many apps have not updated their security to take advantage of the fix.

"This application was as malicious as they come," says Shimonovich. "Combining advanced threat prevention and threat intelligence while adopting a 'hygiene first' approach to safeguard digital assets is the best protection against invasive mobile malware attacks like Agent Smith. In addition, users should only be downloading apps from trusted app stores to mitigate the risk of infection as third-party app stores often lack the security measures required to block adware loaded apps."

Check Point has more information and a list of suspect apps on its blog.