A new Android malware has been discovered. What makes this piece of malicious code interesting is its capability to replace legitimate apps with ad infested ones on the victim’s device. The malware, called Agent Smith by security firm Check Point, has infected over 25 million devices. The malware version of Agent Smith is far more dangerous to the everyday user then the fictional character from the Matrix films. The vast majority of these being on the Asian sub-continent with the vast majority of infections been detected in India with 15.2 million infections. Both Pakistan and Bangladesh have also experienced large numbers of infections, with those being 2.5 million and 1.7 million respectively. It has also been revealed that victims can remain infected for an average of two months.
In an article recently published by security firm Check Point, details of the malware have been released to the public along with a technical analysis of the malware. According to researchers, the malware was discovered earlier this year. Since its discovery researchers have tracked down the location of the malware’s operators, with their location being the city of Guangzhou, China. The operators appear to have set up a legitimate company as a front for distributing and profiting from Agent Smith. The legitimate company advertises itself as a business that helps Chinese Android app developers publish and promote their apps on overseas platforms. However, Check Point discovered that the company was posting ads for job positions that would be consistent with the requirements of operating Agent Smith and its associated infrastructure. Further, these positions would have very little to do with the job requirements needed for the legitimate side of the company.
It would seem that the malware began development in 2018, along with the first job postings been posted. Check Point has provided no other information relating to the company and the malware’s operators as the matter is currently been investigated by law enforcement. As for the malware itself, while vital to the investigation such information as to the operators is of little use to Android users infected with the malware, here there is very little good news to report. Initially, in Agent Smith’s life cycle it was distributed via booby-trapped Android apps uploaded on 9Apps, an independent Android app store managed by UCWeb, the developer behind the UC Browser Android browser.
In the latest campaign, researchers discovered apps infected with components used in the deployment of the Agent Smith malware have also begun appearing on the Google Play Store. So far researchers have found 11 such compromised apps. Researchers believe that this indicates that the operators are laying the groundwork for future campaigns. Responding to the threat Check Point sabotaged this stage of the malware deployment by reporting the apps to Google who has subsequently removed the compromised apps.
Before Android users feel that they are now safe from infection, it should be noted that the malware is incredibly hard to detect and the infection process makes the malware even harder to detect. Agent Smith uses a three-part deployment mechanism. Similar mechanisms have been seen in other advanced Android malware campaigns, such as CopyCat, Gooligan, and HummingBad all previously uncovered by Check Point in the recent past. In the case of Agent Smith the first part of the infection process involves the seeding of app stores with benign, but fully working apps. The operators of Agent Smith have been seen to seed apps with malicious code embedded in games, utility, or adult-themed apps uploaded on the 9Apps store.
The second stage involves a user downloading the benign app which contains the malicious code which more often than not was composed of a malicious software development kit. This kit would then at a later stage download and install another Android app package (APK) that contained the actual Agent Smith malware. The last stage of the infection involves Agent Smith scanning locally installed apps on the victim’s device. By using an internal list of apps as targets the malware will begin replacing legitimates apps with the ad ridden ones.
This replacement process is incredibly complex and exploits the Janus Vulnerability and can be understood as a vulnerability affecting certain versions of Android which when exploited correctly allows attackers to modify the code in applications without affecting their signatures. In this case, the app is replaced without affecting the legitimate signature. According to security firm Guard Square,
“The root of the problem is that a file can be a valid APK file and a valid DEX file at the same time. We have named it the Janus vulnerability, after the Roman god of duality…The Janus vulnerability stems from the possibility to add extra bytes to APK files and to DEX files. On the one hand, an APK file is a zip archive, which can contain arbitrary bytes at the start, before its zip entries (actually more generally, between its zip entries). The JAR signature scheme only takes into account the zip entries. It ignores any extra bytes when computing or verifying the application’s signature. On the other hand, a DEX file can contain arbitrary bytes at the end, after the regular sections of strings, classes, method definitions, etc. A file can, therefore, be a valid APK file and a valid DEX file at the same time.”
If successful in replacing the app Agent Smith has one more party trick, the malware triggers an update of the injected app, cementing the malicious code inside the legitimate app, and then blocking future app updates, so it won't be removed during a subsequent app update. This final trick helps ensure persistence on the victim’s device. While the malware is currently only used for disseminating irritating ads it is in the malware’s capability that it can be easily modified to steal information in the future.