A new malware, discovered by security researchers, targets devices Android, replacing legitimate apps with their bogus copies and promoting their own ads or changing valid ads.
So far, malware in unofficial app stores has infected about 25 millions of devices, and the researchers who discovered it called him Agent Smith.
Victims are typically attracted by photo, adult or adult applications that carry a malware. But once they download them to their device, the apps install Agent Smith.
Malware tries to hide its presence, disguising itself as a utility Google - Google Updater, Google Update for U or “com.google.vending”, and hiding its icon from the user.
Malware then looks for apps on the device, also found in a list that is either hardcoded or downloaded command and control server (C2).
When he locates the appropriate application, Agent Smith extracts the basic APK and promotes a malicious ad unit. It then replaces the original application with the counterfeit.
To complete the installation of updates, the malware exploits the vulnerability of Janus, which allows you to bypass the verification of an application and add arbitrary code to it.
Eventually what the user will see is a seemingly innocent advertisement. Additionally, even the original app ads make profits for malicious players, as malware can change them and use them to its advantage.
His researchers Check Point have found that Agent Smith is used only to promote advertisements, but they say operators can also use it for more malicious purposes, such as the theft of bank credentials.
Malware was discovered in popular third-party app stores, such as 9Apps, which primarily serves users of Indian, Arabic and Indonesian countries. However, incidents were also observed in devices in Saudi Arabia (245k), Australia (141k), United Kingdom (137k) and USA (303k).
The list of malware-affected Android apps includes:
Malware is not limited to simply infecting one application, but replaces any and all applications in its target list.
Between May 2018 and April 2019, operators have begun to test the ability to compromise legitimate applications and promote the campaign through updates as well as transporting the infrastructure to AWS cloud services.
It seems that Agent Smith's creators were also trying to go to the official Android store, as researchers found 11 applications in Google Play Store, which included "a malicious but inactive SDK associated with Agent Smith." Investigators alerted Google immediately and malicious apps were removed.