Security firm Check Point has discovered a new piece of Android malware that replaces parts of an app’s code with its own.
Dubbed ‘Agent Smith’ by Check Point, the malware has reportedly affected over 25 million devices.
However, this malware doesn’t steal user data. Instead, it forces the apps it infects to display more ads, or it takes credit for the ads those apps already display. The malware’s operator then profits off the ad revenue.
Check Point says the malware targets known apps on a user’s device, like WhatsApp, Opera Mini or Flipkart, replaces portions of their code, then prevents the apps from updating.
Primarily, Agent Smith has infected devices in India, which accounts for some 15 million infections. This is largely thanks to a third-party app store called ‘9Apps’ that’s popular in the country. Attackers hid the malware in photo utility apps, games or sex-related apps that “barely function,” according to Check Point.
If a user downloaded one of those apps, Agent Smith would disguise itself as a Google-related app with a name like ‘Google Updater,’ then begin replacing the code in other apps.
However, Check Point notes that the malware also made its way to the U.S., where it infected over 300,000 devices. Further, the malware’s operator attempted to bring Agent Smith to the Play Store, hiding it in 11 different apps. The malware remained dormant, and Check Point says Google has removed all the malicious apps.
The malware relies on a critical Android vulnerability that Google patched years ago. Unfortunately, developers also needed to update their apps to take advantage of the new protections, but clearly many have not.
Check Point says a Chinese company appears to run Agent Smith. That same company claims to help developers publish their apps internationally.
Image credit: Warner Bros.