Malware Infected 25 Million Devices in India From Pre-Installed App

If you clicked on popular apps like WhatsApp, temple run, etc but still get advertisements then your device might be infected with this malware.

A new type of malware is being discovered by the security firm “checkpoint”. it infected more than 25 million devices with Indian users having the largest share. it is distributing from a pre-installed app in some android devices. the malware is codenamed “Agent Smith”.

Yeah, sounds familiar that’s the name of the main antagonist of the matrix film. the malware gets its name due to methods it uses to attack android, without even letting anyone noticed about it.

Why it is dangerous?

The agent Smith disguised itself as a Google-related app and exploits the known vulnerabilities of android versions.
It automatically replaces the apps installed on the devices with the malicious versions of the apps we k even without user interaction or knowledge.
Currently, it only shows fraudulent ads for financial purposes only but can also be used for other dangerous purposes like stealing of bank credentials, eavesdropping, sending users private photos (also videos), etc.
It does these tasks in background and also conceals its icon so, it is very challenging to remove it by the common users on their own.
The researchers at checkpoint day that they discovered the malware in early 2019. it is the stealth infection methodology that complicates the thing, which makes it hard to detect until the device has been compromised.

Origin of Agent Smith

dropper variants — top apps dropping the affect smooth malware

The checkpoint says that it mainly downloaded from the 9apps store. the 9apps store is a third-party application store that is managed by UC-web. the name sounds familiar, yeah it is as the developers are also responsible for running the UC browser.

The 9app is pre-installed in various smartphones such as Micromax, Intex, etc. the current speculation is that the current version of Agent Smith appeared in early 2018.

The apps hard-coded in malware

infection of brand distribution

The list of apps that are hard-coded in the malware’s code is as follows:

1 : • com.whatsapp • com.lenovo.anyshare.gp • com.mxtech.videoplayer.ad • com.jio.jioplay.tv

2 : • com.jio.media.jiobeats • com.jiochat.jiochatapp • com.jio.join • com.good.gamecollection • com.opera.mini.native

3: • in.startv.hotstar • com.meitu.beautyplusme• com.domobile.applock • com.touchtype.swiftkey • com.flipkart.android • cn.xender • com.eterno • com.truecaller

How to prevent it?

Uninstalls the 9app if it is installed on your smartphone and also the apps downloaded through it.
Most of the android devices are of android 5(Lollipop) and 6(marshmallow), as android 7(Nougat) fixed the vulnerability by introducing APK signature Scheme V2. So, if your device receives the update, so update it.
If you have installed any of the above apps, then also uninstall it and do a hard reset of the device