25 Million Infected Devices: Check Point Research Discovers New Variant of Mobile Malware
July 2019 by Check Point
“Agent Smith” malware automatically replaces installed apps with malicious versions without the user’s knowledge or interaction.
Check Point Research has discovered a new variant of mobile malware that has quietly infected around 25 million devices, including 15 million mobile devices in India. Disguised as a Google-related application, the malware exploits known Android vulnerabilities and automatically replaces installed apps with malicious versions without users’ knowledge or interaction.
Dubbed “Agent Smith”, the malware currently uses its broad access to the devices’ resources to show fraudulent ads for financial gain, but could easily be used for far more intrusive and harmful purposes such as banking credential theft and eavesdropping. This activity resembles previous malware campaigns such as Gooligan, Hummingbad and CopyCat.
“The malware attacks user-installed applications silently, making it challenging for common Android users to combat such threats on their own,” said Jonathan Shimonovich, Head of Mobile Threat Detection Research at Check Point Software Technologies. “Combining advanced threat prevention and threat intelligence while adopting a ‘hygiene first’ approach to safeguard digital assets is the best protection against invasive mobile malware attacks like “Agent Smith”. In addition, users should only be downloading apps from trusted app stores to mitigate the risk of infection as third party app stores often lack the security measures required to block adware loaded apps.”
“Agent Smith” was originally downloaded from the widely-used third party app store, 9Apps and targeted mostly Hindi, Arabic, Russian, Indonesian speaking users. So far, the primary victims are based in India though other Asian countries such as Pakistan and Bangladesh have also been impacted. There has also been a noticeable number of infected devices in the United Kingdom, Australia and the United States. Check Point has worked closely with Google and at the time of publishing, no malicious apps remain on the Play Store.
For more information about this mobile malware variant, visit the Check Pont Research Blog or the Check Point Corporate Blog.
If you have been infected by apps such as those described in “Agent Smith”, or otherwise, please follow these steps to remove the malicious apps.
Go to Settings Menu
Click on Apps or Application Manager
Scroll to the suspected app and uninstall it.
If it can’t be found then remove all recently installed apps.
Go to Settings Menu
Scroll to ‘Safari’
On the list of options, ensure that ‘block pop-ups’ is selected.
Then go to ‘Advanced’ -> ‘Website Data’.
For any unrecognized sites listed, delete this site.