A new strain of Android malware has infected 25 million devices and modified legitimate apps with a malicious ads module, according to a report by the security company Check Point.
The malware was disguised as Google-related updaters and “vending modules,” which hid its own app icons and automatically replaced already-installed legitimate apps with its own version without the user knowing. This lead the researchers to name the malware “Agent Smith” because its behavior is similar to the character in the film The Matrix of the same name.
The malware first appeared in popular third-party app store 9Apps and targeted mostly Indian, Pakistani and Bangladeshi users. However, of the 25 million affected devices, 303,000 infections were detected in the US, and 137,000 in the UK.
Apps that were modified include WhatsApp, Opera Mini, Flipkart, as well as software from Lenovo and Swiftkey. The malware detected which apps were installed, patched them with a malicious ads modules, and then re-installed them on the device. For the user, it simply looks like the app is being updated as expected. Once the update is complete, the owner of the malware can then profit from the newly included ads.
The security firm says they submitted data to Google and law enforcement agencies, and as of publishing no malicious apps remain on the Play Store. Nevertheless, the malware managed to survive for as long as it did because, despite the original vulnerability Agent Smith was based on being patched in Android years ago, developers did not sufficiently update their applications.