A new malware type targeting smartphones has infected some 25 million devices, 15 million of which are in India. The malware is dubbed "Agent Smith." It targets the Android mobile operating system, replacing installed apps with a malicious version without alerting the user.

Here's how you spot Agent Smith, how to stop it, and how to protect against Android malware.

What Is Agent Smith Malware?

Agent Smith is a modular malware that exploits a series of Android vulnerabilities to replace legitimate existing apps with a malicious imitation. (What is modular malware, anyway?) The malicious app doesn't steal data. Instead, apps replaced display a huge number of adverts to the user or steal credit from the device to pay for adverts already served.

The malware carries the "Agent Smith" moniker, the same name as the infamous Matrix character who is characterized as a virus. The Check Point research team reason that the methods the malware uses to propagate are similar to Agent Smith's techniques in the film series.

"The malware attacks user-installed applications silently, making it challenging for common Android users to combat such threats on their own," says Check Point Software Technologies Head of Mobile Threat Detection Research Jonathan Shimonovich in the blog post. "Combining advanced threat prevention and threat intelligence while adopting a 'hygiene first' approach to safeguard digital assets is the best protection against invasive mobile malware attacks like "Agent Smith."

Moreover, Agent Smith has infected a huge number of devices. India has by far the most infections. The Check Point research indicates some 15 million devices carrying Agent Smith. The next closest country is Bangladesh, with around 2.5 million devices infected. There were over 300,000 Agent Smith infections in the US and around 137,000 in the UK.

agent smith list of infections

How Does the Agent Smith Malware Work?

Check Point Research believe the Agent Smith malware originates from a Chinese company that helps Chinese Android developers publish and promote apps in foreign markets.

The malware first appeared on the third-party app store "9Apps." The third-party app store targets Indian, Arabic, and Indonesian users, explaining the significant number of infections in those areas. (It is a good reason to avoid downloading Android apps from third-party app stores.)

Agent Smith malware works in three phases.

  1. A dropper app lures the victim to install the malware voluntarily. The initial dropper contains encrypted malicious files and usually takes the form of "barely functioning photo utility, games, or sex-related apps."
  2. The dropper decrypts and installs the malicious files. The malware uses Google Updater, Google Update for U, or "com.google.vending" to disguise its activity.
  3. The core malware creates a list of installed apps. If an app matches its "prey list," it patches the target app with a malicious advertising module, replacing the original as if it was a simple app update.
agent smith how malware works

The prey list includes WhatsApp, Opera, SwiftKey, Flipkart, and Truecaller, among others.

Interestingly, Agent Smith bundles together several Android vulnerabilities, including Janus, Bundle, and Man-in-the-Disk. The combination creates a 3-stage infection process allowing the malware distributor to build a monetized (via adverts) botnet. The Check Point research team believe Agent Smith is "possibly the first campaign seen that integrates and weaponized" all the vulnerabilities together, making the malware "as malicious as they come."

Agent Smith Malware Modules

Agent Smith malware uses a modular structure to infect targets, consisting of:

  • Loader
  • Core
  • Boot
  • Patch
  • AdSDK
  • Updater
agent smith malware modular structure

The dropper is a repackaged legitimate application that also contains the malicious loader.

The loader extracts and runs the Core module, which in turn communicates with the malware command and control (C&C) server. The C&C server sends the prey list. If any apps are found, the malware uses a vulnerability to inject the Boot module into the repackaged application.

The next time the infected application starts, the Boot module runs the Patch module, which uses the AdSDK module to introduce the adverts and begin generating revenue.

Another interesting element of Agent Smith is that it doesn't stop at one malicious app. If Agent Smith finds multiple app matches on the prey list, it will replace each one with a malicious version. Agent Smith also issues malicious update patches to the repackaged apps, keeping the infection going, and serving new advertising packages.

Removing Agent Smith Apps From Google Play

The main point of infection for Agent Smith was third-party app store, 9Apps. However, Google Play wasn't untouched. Check Point discovered 11 apps on the Google Play store containing a "malicious yet dormant" set of files relating to the Agent Smith actor. The Google Play versions of Agent Smith use a slightly different propagation technique but have the same end-goal.

Check Point reported the malicious apps to Google, and all were removed from the Google Play store.

How to Spot and Remove Agent Smith From Android

You can spot Agent Smith fairly easily. If your regularly used apps suddenly start producing an overwhelming amount of adverts, it is a sure sign something is wrong. The ads the malware serves are difficult or impossible to exit, which is another indicator. But as Agent Smith acts almost silently bar the adverts, picking up on subtle changes to your apps is incredibly difficult.

Please note that apps suddenly displaying a huge volume of adverts isn't the solo marker of Agent Smith. Other Android malware types serve adverts to increase revenue. Your device could have a different type of Android malware, like Joker.

If you suspect something is wrong, you should complete an antimalware or antivirus scan on your device.

The first port of call is Malwarebytes Security, the Android version of the excellent antimalware tool. Download Malwarebytes Security and run a full system scan. It should catch and remove any malicious apps.

Download: Malwarebytes Security (Free, subscription available)

If Agent Smith or other Android malware persists, we strongly advise checking our guide to removing Android malware without a factory reset. It features more Android malware removal apps as well as a step-by-step guide to cleaning your device---without deleting any data!