A malware that replaces code on popular apps with its own malicious code has been discovered on millions of Android devices.
Researchers from security firm Check Point have discovered an Android malware that replaces portions of apps with its own code. Dubbed ‘Agent Smith’ by the team, the name is inspired by The Matrix franchise antagonist owing to the clandestine methods by which this malware infects and remain undetected.
It is believed that more than 25m Android devices have been affected. The malware looks for apps such as WhatsApp, Opera Mini and Flipkart on victim’s phones and switches out portions of their code with its own code. It would also be hidden inside “barely functioning photo utility, games or sex-related apps”, Check Point said.
The malware relies on a key vulnerability that Android patched several years ago. However not all developers, evidently, have updated their apps to avail of the new security measures.
The malware uses its broad access to a device’s resources to force apps to display more ads, or absorbs the views for the ads already displayed so that the cybercriminals can profit off the fraudulent views. It also displays what researchers call “malicious advertisements”.
The research team has also warned that it “could easily be used for far more intrusive and harmful purposes such as banking credential theft and eavesdropping”.
The Agent Smith malware has primarily affected devices in India, Pakistan and Bangladesh. This is because the malware is spread through a third-party app store, 9Apps, that is popular in that region. Check Point has said that the malware penetrated a “noticeable number” of devices in countries such as Saudi Arabia, the UK and the US as well.
There is also evidence that the malware’s operator attempted to infiltrate the Google Play Store by sneaking in 11 apps that included code related to a simpler version of the malware. Agent Smith remained dormant, however, and Check Point said it contacted Google and law enforcement to report it. All of the discovered apps were subsequently removed.