Many companies use malicious software to broadcast unauthorized advertising. Check Point specialists have identified an illegal program called “Agent Smith” that hit more than 25 million Android devices. An unauthorized replacement of legitimate applications with clone applications that spread unauthorized advertising was performed on the infected device.
Specialists were able to track the developer "Agent Smith" – a Chinese company operating in the field of high technology, specializing in the promotion of applications from Chinese developers. It was also determined that the start of the distribution of illegal software dates back to 2018. The first "Agent Smith" hit the Internet through the 9Apps app store associated with the developers of the mobile browser UC Browser. Most of the infected devices belong to users from Asia: 15.2 million devices suffered in India, 2.5 million in Bangladesh and 1.7 million in Pakistan. About 300 thousand of them turned out to be infected with smartphones with outdated Android versions. – 5 and 6, for which actual OS updates have not been released for a long time.
Infected "Agent Smith" applications began to appear in the Google Play store. Experts have identified 11 such applications that, after reporting to Google security, were promptly removed from Google Play.
In an infected application, the malicious component was disguised as an SDK, whose role was to download and install an entire package of applications containing Agent Smith. After installation, the malware checked the presence of installed applications, compared their list with the target list and changed them to clone programs that distribute unauthorized ads. The list had 16 applications, including WhatsApp, Lenovo AnyShare, Opera Mini, Flipkart and TrueCaller.
Such application replacement is a rather complicated technical process that used the Janus vulnerability (CVE-2017-13156) in Android, which allows adding content to the APK, bypassing the protection using a digital signature. At the same time, “Agent Smith” blocked the updates after installing the clone program to prevent the removal of malicious code.
. (tagsToTranslate) applications (t) Smith "(t)" Agent (t) devices (t) Android (t) companies (t) which (t) clones (t) replacing (t) applications (t) revealed (t) advertising (t) Specialists (t) unauthorized (t) Google (t) advertising (t) was made (t) unauthorized (t) distributed (t) after