25 Million Android Phones Infected With Malware That ‘Hides In WhatsApp’ And Other Apps

Pappi Hex

Security researchers have uncovered a nasty malware that have infected about 25 million Android phones, replacing genuine apps like WhatsApp with malicious versions that serve up adverts.

According to the security researchers from Check Point, the malware which has been dubbed 'Agent Smith' disguises itself as a Google-related application and then replaces applications installed on the phone with malicious versions of them via known Android vulnerabilities without the users permission.

"Disguised as a Google-related application, the malware exploits known android vulnerabilities and automatically replaces installed apps with malicious versions without user's knowledge or interaction," Check Point said.

Also Read: Warning! Users Of These Phones Will Be Permanently Blocked From Using WhatApp After Tonight

Check Point said that the Agent Smith malware uses its access to Android device to show fake ads for financial gain. However, its access on Android users phone means it could be used for more nefarious purposes, though it isn't clear if the malware have been going that route.

"Due to its ability to hide its icon from the launcher and impersonate any popular existing apps on a device, there are endless possibilities for this sort of malware to harm a user's device," the security researchers noted.

The threat intelligence firm said the malware, Agent Smith originated on a popular third-party apps store called 9Apps (owned by China's Alibaba) and not the official Google Play Store. The malware seem to target mainly Arabic, Hindi, Indonesian, and Russian speakers.

However, majority of the malware's victims are in India, Bangladesh, Pakistan, Australia, UK, US, Pakistan, Saudi Arabia, Myanmar, Indonesia, etc

Countries Infected as shown on Check Point
These are the 10 top countries that seems to have suffered the more from the malware:
  • Indian               15.2 million, 
  • Bangladesh      2.5 million, 
  • Pakistan            1.6 million,
  • Indonesia         572K
  • Nepal                 469K
  • US                      302K
  • Nigeria              287K
  • Hungary           282K
  • Saudi Arabia    245K
This is how the attack happens. The Android user goes to 9App store and unsuspectingly download an app - it could be a game, photo utility or an adult theme app which might happen to be one of the infected apps: Phone Projector, Rabbit Temple, Kiss Game: Touch Her Heart, Girl Cloth XRay Scan Simulator, or Flash - Call Screen Theme.

Now, the infected app will then silently install the malware which disguises as a legitimate Google updating tool.To avoid creating suspicion from the Android user, the newly installed malware won't leave any icon on the screen.

Also Read: Download For Free NSA's GHIDRA Reverse Engineering Hacking Tool

Once the whole underground installation is done, legitimate apps such as WhatsApp, Opera browser, TrueCaller, etc. will then be replaced with malicious versions via an update.

Check Point also noted that the hackers behind this were considering moving to Google Play Store. The security researchers said that they've found about 11 apps on the Google Play Store that contained "dormant" piece of the hackers software. Google in turn took no time in taking down the apps.

The apps that were taken down by Google on the Play Store includes:

Blockman Go: Free Realms & Mini Games by Blockman Go Studio, Cooking Witch by Ghost Rabbit, Ludo Master - New Game 2019 For Free by Hippo Lab, Angry Virus by A-Little Game, Bio Blast - Infinity Battle: Shoot virus! Taplegend, Shooting Jet by Gaming Hippo, Gun Hero: Gunman Game for Free by Simplefreegames, Clash of Virus by BrainyCoolGuy, Star Range by A-little Game, Crazy Juicer - Hot Knife Hit Game & Juice Blast by Mint Games Global, and Sky Warriors: General Attack.

Those who have been infected or suspect that their device have been infected, and have been seeing ads on their phone should do the below.
  • Go to Settings on your Android device
  • Locate the Apps and Notification section and then head to the app info list.
  • From the app info, search for any of the above listed apps and also for suspicious applications with names like:
            Google Updater, Google Installer for U, Google Powers and Google Installer
  • Next, click  on the suspicious app and then uninstall it.
To avoid falling victim to such attacks, every Android user is advised to always stick to the official Play Store by Google. Though the Play Store also has it own flaws, its still way ahead of other other third -party Android store in the wild.

Check Point also noted that the activity of Agent Smith resembles very much to that of malwares like CopyCat, Gooligan and HummingBad which have all used infected devices to generate fake ad revenue in millions of dollars to those behind it.

Post a Comment

* Please Don't Spam Here. All the Comments are Reviewed by Admin.
Post a Comment (0)

#buttons=(Accept !) #days=(20)

Our website uses cookies to enhance your experience. Learn More
Accept !
To Top