Checkpoint Researchers Aviran Hazum, Feixiang He, Inbal Marom, Bogdan Melnykov, and Andrey Polkovnichenko discovered yet another Android malware infecting users. Usually, Android malware effects users in foreign countries since those users often trust third party app vendors. These vendors do a pretty poor job of gate-keeping, so malware is often able to gain a foothold in countries like India. And that’s exactly what attackers have done in the case of Agent Smith, the name of this latest Android malware campaign. The third party app store in question here is 9Apps, a store that targets Indian, Arabic, and Indonesian Android users. What Agent Smith does is disguise itself as a regular app like WhatsApp or Opera. When the user downloads an infected app, Agent Smith then uses its escalated privileges to infect other apps on the victim’s phone. The eventual payload is a stream of illegitimate apps. As of now, Agent Smith has infiltrated 25 million devices 15 million of which are from India. 300,000 infected devices are from the U.S, which makes this hack unique in that it was able to infiltrate more complex Android systems.
Check Point acknowledges this fact by observing that the “actors behind Agent Smith seem to have moved into the more complex world of constantly searching for new loopholes, such as Janus, Bundle and Man-in-the-Disk, to achieve a 3-stage infection chain, in order to build a botnet of controlled devices to earn profit for the perpetrator.” The researchers claim that this is the first campaign that leverages all of these loopholes at once.
It’s important to note the similarity between Agent Smith’s method of infection and ViceLeaker. Both campaigns appear to backdoor apps and inject them with malicious code. What makes Agent Smith more insidious is the fact that it backdoors apps on the fly or just-in-time(JIT). Also, the means behind Agent Smith are more dangerous than its end; though the attack results in ad displays, the researchers note that the malware can easily be re-purposed to allow for the theft of sensitive data.
The researchers were able to boil down an Agent Smith attack into three phases:
- An enticing sex-related, gaming, or photo app hiding a Feng Shui Bundle would find a home in 9Apps waiting to be installed.
- Once installed, a malware APK is decrypted and bundled with the app disguised as Google Update and other update variants. Hackers can now maliciously patch and update the malware.
- Finally, the core malware extracts a list of installed apps, finds apps specified by code or C&C commands, and “updates” their APKs with malicious code.
For now, the source of the Agent Smith campaign is 9Apps; but, the Check Point research team discovered 11 apps in the Google Play store that contain dormant SDK similar to those found in Agent Smith apps. Within the SDK lies a kill switch that awaits the keyword “infect” in order to become a malicious payload.
From this finding the researchers conclude that, “Evidence implies that the ‘Agent Smith’ actor is currently laying the groundwork, increasing its Google Play penetration rate and waiting for the right timing to kick off attacks.” The researchers have also concluded that the attackers are most likely from a Chinese internet company located in Guanghzou. The report ends with this statement: “Today this malware shows unwanted ads, tomorrow it could steal sensitive information; from private messages to banking credentials and much more.”