A newly discovered form of Android malware that changes code in legitimate apps to display fraudulent ads has been found on more than 25 million devices, according to a report today from security researchers at Check Point Software Technologies Ltd.

Dubbed “Agent Smith” by the researchers after the villain who copies himself multiple times in “The Matrix” movie trilogy, the malware seeks out and replaces code in legitimate apps including WhatsApp, Opera Mini and Flipkart to insert its own ads. The change in coding doesn’t affect the functioning of the apps aside from the insertion of the ads, meaning users are often unaware that they have the malware.

The code also prevents targeted apps from being updated, meaning users not only miss out on security and feature updates but remain infected with Agent Smith.

The infections have been primarily detected in South Asia, with 15 million devices in India believed to be infected, followed by users in Bangladesh and Pakistan. About 300,000 devices are believed to be infected in the U.S.

The infection pathway is via unofficial Android app stores in “barely functioning photo utility, games or sex-related apps,” the researchers noted. Once installed on a device, Agent Smith disguises itself as a Google-related app such as “Google Updater,” then gets to work looking for legitimate apps it can hijack with its malicious code.

While currently being used only to show fraudulent ads, the researchers noted that Agent Smith “could easily be used for far more intrusive and harmful purposes such as banking credential theft and eavesdropping.”

Highlighting an ongoing security issue for Android devices, Agent Smith exploits the Janus Vulnerability, which was patched in Android devices from early 2018 in Android version 7 and later. That Agent Smith has primarily infecting Android devices in the Asian subcontinent is reflective of both older unsupported Android versions and low-priced Android device manufacturers that don’t provide security updates.

Avoiding malware such as Agent Smith comes down to avoiding dubious Android app sites.

“One way to remain vigilant against attacks is to only use app stores with strict application development policies and reviews,” Boris Cipot, senior security engineer at Synopsys Inc., told SiliconANGLE. “Be observant and cautious with regard to what you install on your mobile devices. Before confirming installation, have a look to see where the app comes from, if there are reliable sources reviewing the app, and investigate the default permissions.”

Photo: Marcin Wichary/Wikimedia Commons