Agent Smith malware replaces apps with malicious versions

A new mobile malware dubbed as “Agent Smith” has infected more than 25 million devices by impersonating as a Google-related app, and exploited known Android vulnerabilities.

The name was given after the Matrix’s main villain, which was discovered by security firm Check Point. It has penetrated some of the major apps like WhatsApp. 

The malware extracts the list of the app that is installed on the devices, then it automatically selects its target app, replaces the original version with the malicious version without the user’s knowledge.

"The core malware extracts the device's installed app list. If it finds apps on its prey list (hard-coded or sent from C&C server), it will extract the base APK of the target innocent app on the device, patch the APK with malicious ads modules, install the APK back and replace the original one as if it is an update," Check Point's researchers explained.

"In this case, "Agent Smith" is being used for financial gain through the use of malicious advertisements. However, it could easily be used for far more intrusive and harmful purposes such as banking credential theft. Indeed, due to its ability to hide it's an icon from the launcher and impersonates any popular existing apps on a device, there are endless possibilities for this sort of malware to harm a user's device."

According to the Check Point researchers,  it was made by a Chinese company that helps immature developers to publish their apps overseas, in order to make some money. 

The company also suggests that it will take more time to protect from such attacks: "The 'Agent Smith' campaign serves as a sharp reminder that effort from system developers alone is not enough to build a secure Android eco-system. It requires attention and action from system developers, device manufacturers, app developers, and users, so that vulnerability fixes are patched, distributed, adopted and installed in time."