Saturday, January 18, 2025
HomeAndroid25 Million Android Users Infected with Powerful "Agent Smith" Malware Through Exploiting...

25 Million Android Users Infected with Powerful “Agent Smith” Malware Through Exploiting Several Mobile Vulnerabilities

Published on

SIEM as a Service

Follow Us on Google News

Researchers discovered a new Android malware called “Agent Smith” that infects nearly 25 million mobile users around the globe without letting users know about the malicious activities.

Agent Smith malware activities have a similar appearance of previously reported malware campaigns such as Gooligan, HummingBad, and CopyCat.

Malware posed as a legitimate Google app and takes advantage of the known vulnerabilities to exploit the device and replacing the already installed apps with its malicious version without any form of users interaction.

The ultimate motivation of the threat actors behind Agent Smith Malware is to push the malicious advertisements and harm the device to steal the bank credentials and other forms of financial gain.

Threat actors behind this Agent smith primary targets are India though other Asian countries such as Pakistan and Bangladesh.

Since Android keeps on securing its environment by applying frequent security patches, threats actors continue to develop the sophisticated infection chains to finding the new loopholes.

“Agent Smith” seems to be the first malware that using new loopholes, such as Janus, Bundle and Man-in-the-Disk, to achieve a 3-stage infection chain and build a botnet of compromised devices.

Infection Landscape

Agent Smith is not just infecting the single app in the targeted device, but it keeps on checking all the apps which are in the targeted list and it does the same until it finds the pre-listed apps.

Researchers estimated that the malware-infected over 2.8 billion times with 25 Million unique devices and its abuses 9Apps market using 360 different dropper variants.

There are 5 most infectious droppers that listed below were found in the list and these droppers alone have been downloaded more than 7.8 million.

Since the Android users are much higher in India than other countries, “Agent Smith”, overall compromised device brand distribution is heavily influenced and infected many of the Indian Users.

Researchers learned that most infections occurred on devices running Android 5 and 6, also, there is a number of successful attacks against newer Android versions which all not update their Android device properly.

Agent Smith Infection Process

Earlier 2019, Agent Smith started its infection process from India using similar characteristics of Janus vulnerability and the variant has an ability to hide their app icons and claim to be Google-based apps.

Agent Smith infection app that downloaded by the victim has a weaponized Feng Shui Bundle as encrypted asset files and the app has several other functionalities including photo utility, games, or adult related.

Once the dropper gets executed, it automatically decrypts and installs its core malware APK which is responsible for app update and malicious patching.

According to Checkpoint research ” The core malware is usually disguised as Google Updater, Google Update for U or “com.google.vending”. The core malware’s icon is hidden.”

Finally, it releases the apps list and checks whether the victims have installed any of the pre-listed apps which are hard-coded or sent from the C&C server.

“If its find any apps that listed in the pre-list, it will extract the base APK of the target innocent app on the device, patch the APK with malicious ads modules, install the APK back and replace the original one as if it is an update.” Checkpoint reported.

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity updates also you can take the Best Cybersecurity course online to keep yourself updated.

Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Latest articles

Hackers Easily Bypass Active Directory Group Policy to Allow Vulnerable NTLMv1 Auth Protocol

Researchers have discovered a critical flaw in Active Directory’s NTLMv1 mitigation strategy, where misconfigured...

AWS Warns of Multiple Vulnerabilities in Amazon WorkSpaces, Amazon AppStream 2.0, & Amazon DCV

Amazon Web Services (AWS) has issued a critical security advisory highlighting vulnerabilities in specific...

FlowerStorm PaaS Platform Attacking Microsoft Users With Fake Login Pages

Rockstar2FA is a PaaS kit that mimics the legitimate credential-request behavior of cloud/SaaS platforms....

New Tool Unveiled to Scan Hacking Content on Telegram

A Russian software developer, aided by the National Technology Initiative, has introduced a groundbreaking...

API Security Webinar

Free Webinar - DevSecOps Hacks

By embedding security into your CI/CD workflows, you can shift left, streamline your DevSecOps processes, and release secure applications faster—all while saving time and resources.

In this webinar, join Phani Deepak Akella ( VP of Marketing ) and Karthik Krishnamoorthy (CTO), Indusface as they explores best practices for integrating application security into your CI/CD workflows using tools like Jenkins and Jira.

Discussion points

Automate security scans as part of the CI/CD pipeline.
Get real-time, actionable insights into vulnerabilities.
Prioritize and track fixes directly in Jira, enhancing collaboration.
Reduce risks and costs by addressing vulnerabilities pre-production.

More like this

New Botnet Exploiting DNS Records Misconfiguration To Deliver Malware

Botnets are the networks of compromised devices that have evolved significantly since the internet's...

Thousands of PHP-based Web Applications Exploited to Deploy Malware

A significant cybersecurity threat has emerged, threatening the integrity of thousands of PHP-based web...

RedCurl APT Deploys Malware via Windows Scheduled Tasks Exploitation

Researchers identified RedCurl APT group activity in Canada in late 2024, where the attackers...