New Malware: Legit Android Apps Are Replaced by Fake Apps


Just recently, the cyber security researchers have revealed the eye-opening details about the widespread Android Malware campaign wherein the attackers have silently replaced the installed legitimate apps with their malicious versions on nearly 25 million Android mobile phones. As per the researchers at Check Point, the attackers are distributing a new kind of Android Malware that disguises itself as an innocent-looking photo editing, adult entertainment, or gaming apps and available through widely used third-party app stores. Dubbed as Agent Smith, the Malware takes advantage of multiple Android vulnerabilities, such as the Janus flaw and the Man-in-the-Disk flaw, and injects malicious code into the APK files of targeted apps that are installed on a compromised device and then automatically re-install/updates them without the victims’ prior knowledge or interaction. The Malware, which the researchers believe is tied to a China-based firm, has been designed for financial gain by serving malicious advertisements to the victims.

Upon installation of ambushed apps, the Agent Smith Malware leverages a three-stage infection chain and contains different modules for each step, working of which are explained below for a vivid understanding:

1.) Loader Module — The initial app distributing of the Malware contains a module called Loader, whose only purpose is to decrypt, extract, and run the second stage module named as Core or Core Module.

2.) Core Module — Once it is executed, the Core module communicates with the attackers’ C&C server to receive a list of popular apps that needs to be targeted or infected.

If it finds a match already installed on the victim’s device, the Core module tries to infect the targeted APK using the Janus vulnerability or by simply recompiling the APK with a malicious payload. Simple! Furthermore, to automatically install the modified APK and replace its original version without users’ consent, the attackers utilize a series of 1-day vulnerabilities, including man-in-the-disk attack.

3.) Boot Module — This module is included in the malicious payload that was bundled with the original app and worked the same as the Loader module and it extracts and as well as executes a malicious payload, called the Patch module when a victim runs the modified application.

4.) Patch Module — The patch module has been designed in such a way so as to prevent the modified applications from getting legitimate updates, which if installed, would revert all malicious changes.

6.) AdSDK Module — This is the actual malicious payload that displays ads to the victims for financial gain and furthermore also infects the device with other adware families.

However, the researchers warn that this modular Malware could be easily adapted for far more intensive and harmful purposes, such as stealing sensitive information—from private messages to banking credentials and much more. The researchers had initially encountered the Agent Smith Malware in early 2019, which was primarily being found targeting Android devices in India (with 15 million infected devices) and other nearby Asian countries like Pakistan, Bangladesh, Indonesia, and Nepal. Although, the Malware also affected a noticeable number of devices in the United States (more than 300,000 infected devices), Australia (over 140,000 infected devices) and the United Kingdom (over 135,000 infected devices). Apart from the third-party app stores, researchers also found at least 11 infected apps on the Google Play Store in the recent months containing malicious yet inactive Agent Smith components.

This clearly indicates that the threat actors behind this Malware campaign are also trying to vent out a way in Google’s mobile app download platform in the bid to spread their adware. Google has reportedly removed all the apps from its store by now. Since Malware Agent Smith has mostly infected users who downloaded apps from the third-party app stores, users are highly recommended always to download apps from trusted app stores to mitigate the risk of infection. Also, one should download apps only from trusted developers. Users are also advised to uninstall any apps they suspect may be malicious by heading on to Settings Menu, then clicking Apps or Application Manager, and then Scroll to the suspected app and uninstall it. Since the key vulnerability Agent Smith is exploiting dates back to 2017 and has already been patched, the mobile app developers are recommended to implement the latest APK Signature Scheme V2 to prevent malicious apps from leveraging Android’s Janus vulnerability against their applications.

Source: The Hacker News

Disclaimer: does not promote or endorse claims that have been made by any parties in this article. The information provided here is for the general purpose only and unintended to promote or support purchasing and/or selling of any products and services or serve as a recommendation in the involvement of doing so. Neither nor any member is responsible directly or indirectly for any loss or damage caused or alleged to be caused by or in relation with the reliance on or usage of any content, goods or services mentioned in this article.

Tags: #.onion_Links #Dark_net_Links # Dark_net_Sites_Links #.onion_Hidden_Links #Hidden_Wiki


Please enter your comment!
Please enter your name here