Agent Smith

Agent Smith is mobile malware that generates financial gain by replacing legitimate applications on devices with malicious versions that include fraudulent ads. As of July 2019 Agent Smith had infected around 25 million devices, primarily targeting India though effects had been observed in other Asian countries as well as Saudi Arabia, the United Kingdom, and the United States.[1]

ID: S0440
Platforms: Android
Contributors: Aviran Hazum, Check Point; Sergey Persikov, Check Point
Version: 1.0
Created: 07 May 2020
Last Modified: 17 June 2020

Techniques Used

Domain ID Name Use
Mobile T1418 Application Discovery

Agent Smith obtains the device’s application list.[1]

Mobile T1577 Compromise Application Executable

Agent Smith can inject fraudulent ad modules into existing applications on a device.[1]

Mobile T1447 Delete Device Data

Agent Smith deletes infected applications’ update packages when they are detected on the system, preventing updates.[1]

Mobile T1476 Deliver Malicious App via Other Means

Agent Smith has been distributed through the 9apps app store.[1]

Mobile T1404 Exploit OS Vulnerability

Agent Smith exploits known OS vulnerabilities, including Janus, to replace legitimate applications with malicious versions.[1]

Mobile T1472 Generate Fraudulent Advertising Revenue

Agent Smith shows fraudulent ads to generate revenue.[1]

Mobile T1444 Masquerade as Legitimate Application

Agent Smith can impersonate any popular application on an infected device, and the core malware disguises itself as a legitimate Google application. Agent Smith's dropper is a weaponized legitimate Feng Shui Bundle.[1]

Mobile T1406 Obfuscated Files or Information

Agent Smith’s core malware is disguised as a JPG file, and encrypted with an XOR cipher.[1]

Mobile T1424 Process Discovery

Agent Smith checks if a targeted application is running in user-space prior to infection.[1]

Mobile T1508 Suppress Application Icon

Agent Smith can hide its icon from the application launcher.[1]