Security researchers have uncovered a nasty malware that have infected about 25 million Android phones, replacing genuine apps like WhatsApp with malicious versions that serve up adverts.
According to the security researchers from Check Point, the malware which has been dubbed 'Agent Smith' disguises itself as a Google-related application and then replaces applications installed on the phone with malicious versions of them via known Android vulnerabilities without the users permission.
"Disguised as a Google-related application, the malware exploits known android vulnerabilities and automatically replaces installed apps with malicious versions without user's knowledge or interaction," Check Point said.
Also Read: Warning! Users Of These Phones Will Be Permanently Blocked From Using WhatApp After Tonight
Check Point said that the Agent Smith malware uses its access to Android device to show fake ads for financial gain. However, its access on Android users phone means it could be used for more nefarious purposes, though it isn't clear if the malware have been going that route.
"Due to its ability to hide its icon from the launcher and impersonate any popular existing apps on a device, there are endless possibilities for this sort of malware to harm a user's device," the security researchers noted.
The threat intelligence firm said the malware, Agent Smith originated on a popular third-party apps store called 9Apps (owned by China's Alibaba) and not the official Google Play Store. The malware seem to target mainly Arabic, Hindi, Indonesian, and Russian speakers.
However, majority of the malware's victims are in India, Bangladesh, Pakistan, Australia, UK, US, Pakistan, Saudi Arabia, Myanmar, Indonesia, etc
 |
| Countries Infected as shown on Check Point |
- Indian 15.2 million,
- Bangladesh 2.5 million,
- Pakistan 1.6 million,
- Indonesia 572K
- Nepal 469K
- US 302K
- Nigeria 287K
- Hungary 282K
- Saudi Arabia 245K
Now, the infected app will then silently install the malware which disguises as a legitimate Google updating tool.To avoid creating suspicion from the Android user, the newly installed malware won't leave any icon on the screen.
Also Read: Download For Free NSA's GHIDRA Reverse Engineering Hacking Tool
Once the whole underground installation is done, legitimate apps such as WhatsApp, Opera browser, TrueCaller, etc. will then be replaced with malicious versions via an update.
Check Point also noted that the hackers behind this were considering moving to Google Play Store. The security researchers said that they've found about 11 apps on the Google Play Store that contained "dormant" piece of the hackers software. Google in turn took no time in taking down the apps.
The apps that were taken down by Google on the Play Store includes:
Blockman Go: Free Realms & Mini Games by Blockman Go Studio, Cooking Witch by Ghost Rabbit, Ludo Master - New Game 2019 For Free by Hippo Lab, Angry Virus by A-Little Game, Bio Blast - Infinity Battle: Shoot virus! Taplegend, Shooting Jet by Gaming Hippo, Gun Hero: Gunman Game for Free by Simplefreegames, Clash of Virus by BrainyCoolGuy, Star Range by A-little Game, Crazy Juicer - Hot Knife Hit Game & Juice Blast by Mint Games Global, and Sky Warriors: General Attack.
Those who have been infected or suspect that their device have been infected, and have been seeing ads on their phone should do the below.
- Go to Settings on your Android device
- Locate the Apps and Notification section and then head to the app info list.
- From the app info, search for any of the above listed apps and also for suspicious applications with names like:
Google Updater, Google Installer for U, Google Powers and Google Installer
- Next, click on the suspicious app and then uninstall it.
Check Point also noted that the activity of Agent Smith resembles very much to that of malwares like CopyCat, Gooligan and HummingBad which have all used infected devices to generate fake ad revenue in millions of dollars to those behind it.