Over the years, malware has evolved just as much as technology; from simple worms to devastating ransomware. Though malware removal software has kept viruses and malware at bay, a new form of malware is emerging. Given its abilities, it can easily be weaponized in the hands of cybercriminals. This new form of malware is dubbed “Agent Smith”.
What Is “Agent Smith” Malware? Why Can’t Malware Removal Apps Detect It?
Named after the enemy in the famous sci-fi movie “The Matrix”, the Agent Smith malware and the movie character share a common feature: they exploit vulnerabilities in the system.
The Agent Smith malware, which has hit 25 million android devices so far, is a modular type malware that takes a stealth approach to infect its target smartphone. The scariest thing about this vicious malware is its ability to replace apps on your phone without your malware removal program finding out.
It replaces clean apps with a malicious version without alerting your malware removal program by using fake updates. And once your phone is infected, all your mobile applications could be replaced with an adware-modified version.
The Agent Smith malware was found in early 2019 by a research team in Check Point Software Technologies after noticing a sudden rise in malware attacks in Asia. The cybersecurity group believes that the malware originated in China and spread through a third-party app store called 9Apps. Major areas of infected smartphones are India, Pakistan, and Bangladesh. But it has begun infecting phones in the UK and US as well. Malware removal software was not able to catch the infection.
The malware exploits a vulnerability in the Android operating system. And instead of directly attacking the system like older malware types, it attacks the system in stages to avoid being noticed by malware removal programs.
Stages of the Agent Smith Malware
All viruses have a lifecycle, but Agent Smith has a shorter cycle than other viruses. Its phases can be broken down into three major phases:
Phase 1: Downloading an infected app
The first phase of the Agent Smith attack is for a target to voluntarily download the dropper app. The dropper app has the modular virus encrypted in it. Because the malware is encrypted in the app, it does not set off any malware removal alerts.
Phase 2: Decryption
Once the dropper app has been successfully installed on the target smartphone, the virus is decrypted and the virus APK is installed on the smartphone. The malware then initiates a fake update and patch disguised as a Google Updater. The virus doesn’t trigger any alert from malware removal apps.
Phase 3: Extraction
After the malicious updates are complete, the malware extracts a list of installed apps on the infected smartphone. The malware looks for apps it can infect, and once it finds one, it will replace it with an adware-modified version through a fake update. Your malware removal app sees this as a legitimate update and doesn’t flag it.
What Does Agent Smith Malware Do?
Though the method of infiltration and the ability to avoid detection from malware removal apps is a cause of concern, Agent Smith malware doesn’t damage the infected smartphone.
The main objective of Agent Smith malware is for financial gain by showing unwanted ads on infected apps. The ads are usually out of context and pop up at any time. Another is to highjack the legitimate ads on the app and redivert the payments to hackers instead of the app developers.
Though Agent Smith does not harm yet, it’s not long before it can be weaponized and used for high-scale cyberattacks. Current malware removal apps don’t stand against it.
Timeline of the Agent Smith Malware
Researchers in Check Point traced the origins of the Agent Smith virus as far back as 2016. Here’s a quick timeline on the Agent smith malware:
An early version of Agent Smith is tested on 9App. During this time, the malware has adware capabilities, but it can’t infect other apps yet. Numerous apps on 9App carried the Agent Smith prototype.
May 2018 – April 2019
Hackers begin experimenting and developing Agent Smith malware. It was during this time that its ability to infect other apps was discovered and utilized. Hackers ran pilot experiments on 9App while continuing to develop the malware.
Around mid-June, Agent Smith attacks started to expand until December 2018. The infection rate stabilized sometime in early 2019. Hackers tried to infiltrate Google play with infected apps with a campaign called “Jaguar Kill Switch” in December. This attack could prove to be more dangerous than the Agent Smith attack.
April 2019 -Present
Infection rates for Agent Smith have dropped. Researchers believe that the hackers are building a major update to the Agent smith malware under a different name.
Conclusion – Provide Strong Tag
In our current cyberspace, hackers are developing new kinds of malware that build upon the success of old malware. And this must be combated with better malware removal programs.
Agent Smith malware is just the tip of the iceberg. And hackers will soon be able to launch a devastating cyberattack using Agent Smith malware. Cybersecurity experts need to build a malware removal program that can counter such an attack.