‘Agent Smith’ malware infects 25 million Android devices

Threat intelligence firm Check Point Research have released details of malware designed to exploit known Android vulnerabilities. It’s claimed to have affected up to 25 million Android devices.

They named the malware ‘Agent Smith’ due to “the methods it uses to attack a device and avoid detection”.


Jonathan Shimonovich, Head of Mobile Threat Detection Research at Check Point Software Technologies, said:

“The malware attacks user-installed applications silently, making it challenging for common Android users to combat such threats on their own”

The malware mostly targeted Hindi, Arabic, Russian and Indonesian speaking users, but it’s suggested up to 300,000 users in the US were infected. Masquerading as legitimate games and other apps, it was mainly distributed through third-party app stores such as 9Apps, popular in India.

Once downloaded, the malware would disguise itself as a Google app, and then begin updating other apps on the phone to copycat versions that also contained malicious code. The main symptom of the infection is unwanted ads appearing on previously ad-free apps, but the method of infection and the code it introduced have implications beyond annoying advertisements.

According to Aviran Hazum, head of Check Point’s analysis and response team for mobile devices, there is nothing to stop the malware authors targeting banking apps, and sending your credentials to a third party. Users wouldn’t notice anything different happening.

Ad-blockers, apps and updates

Check Point highlighted the danger of malicious ads with the ability to install dodgy apps when you browse a webpage. The suggested defences are to use ad-blockers, keep your software up to date, and only download apps from official app stores, as malicious apps can appear to be the genuine version when pre-installed.

They also pointed to Android fragmentation as a potential cause for concern. Due to the sheer number of manufacturers offering Android devices, new OS updates and security improvements can take months to filter through to every user. In some cases, updates never arrive.

When we analyzed a fake iPhone, we saw a heavily-modified version of Android 4.4 under the hood. The dangers of running an OS almost 6 years old are obvious – many attacks that worked on older operating systems have since been patched.

DeviceAtlas data shows us that in Q1 2019 in the US, Android 8 was the most common Android version, accounting for 19.15% of all mobile web traffic. Android 9 drove 5.78%, with Android 7 just behind with 5.42%.

Android 6 – now four years old – was seen on 3.10% of devices. There was a similar split in the UK. For an overview of the worldwide split, Google’s Distribution Dashboard provides the figures:


The update delay disproportionately affects countries where mobile landscape is less developed. In Egypt, for example, the most popular OS was Android 6, driving almost 25% of all mobile web traffic. In Brazil, Android 6 drove 19.45% of mobile web traffic in our data.

The lack of urgency in pushing updates means millions of smartphone users could be vulnerable to exploits and weaknesses that have been fixed long ago.

For corporate networks, the risks of allowing a rogue device to connect are severe. The device may introduce malware or viruses to other machines, or could send sensitive information outside the organisation without raising any red flags. With hidden and altered apps running in the background, it’s impossible to tell what’s really going on beneath the surface. We discussed these risks in detail at our launch at MWC19 in February:

You can read more about the risks, and how DeviceAssure can help protect your network here.

Share on: