25 million Android devices infected by new malware variant dubbed 'Agent Smith'

'Agent Smith' malware replaces legitimate applications with malicious versions

A new form of mobile malware has infected as many as 25 million Android devices, according to security specialists Check Point.

Dubbed 'Agent Smith', the malware exploits known vulnerabilities within the Android operating system to disguise itself as Google-related software, installing malicious applications in place of legitimate versions.

Check Point said that the malware had "quietly infected" millions of devices, including 15 million in India, and "replaces installed apps with malicious versions without users' knowledge or interaction".

"The malware currently uses its broad access to the devices' resources to show fraudulent ads for financial gain, but could easily be used for far more intrusive and harmful purposes such as banking credential theft and eavesdropping," it said in a media announcement.

Check Point said that the malware had "quietly infected" millions of devices, including 15 million in India

"This activity resembles previous malware campaigns such as Gooligan, Hummingbad and CopyCat."

The app originates from a popular third-party app store called 9Apps and has mainly infected Hindi, Arabic, Russian and Indonesian users.

Even though most of the victims live in India, Check Point warned that users throughout Asia, such as Pakistan and Bangladesh, had also been affected. However, traces of the malware were found in the UK, Australia and the US too.

Jonathan Shimonovich, head of mobile threat detection research at Check Point, said: "The malware attacks user-installed applications silently, making it challenging for common Android users to combat such threats on their own.

"Combining advanced threat prevention and threat intelligence while adopting a ‘hygiene first' approach to safeguard digital assets is the best protection against invasive mobile malware attacks like Agent Smith.

"In addition, users should only be downloading apps from trusted app stores to mitigate the risk of infection, as third-party app stores often lack the security measures required to block adware-loaded apps."

Since discovering the malware, CheckPoint said it has worked closely with Google and that no malicious apps remain on the Play Store.

Boris Cipot, senior security engineer at Synopsys, added: "Rogue software posing as the original, legitimate piece of software with the intention of luring users to install it and therefore infect their computers is a common practice criminals use.

"With the most modern mobile devices, downloading and installing apps is essentially a five-second act which makes the risk of installing malware even bigger if you're not careful - once you've confirmed the install, it's too late to change your mind.

"The potential to use software and functionalities from millions of developers - and for free in many cases - is a widely accepted practice. With this, there are also hidden dangers afoot.

"An attacker has access to many user interaction points. This can help them to promote malware to users. Since users often do not check details around what software is being used within the app and who created it, attackers have many opportunities to push their malware on user devices."