More than 25 million smartphones infected with new malware hidden in WhatsApp

An investigation conducted by system audit specialists from the security firm Check Point has revealed the existence of new smartphone malware; dubbed “Agent Smith”, this malware has already infected more than 25 million users worldwide, mainly in India, where around 15 million cases of infection have been detected.

This malware hides from the user disguising itself as an app developed by Google; later, Agent Smith begins to remove the apps installed on the device, replacing them with fake versions, exploiting some known vulnerabilities in the Android operating system.

According to system audit experts, this malware variant can also be used to display advertisements about fraudulent businesses, but due to its advanced capabilities it can be used for more harmful purposes to the user. However, experts have not yet confirmed whether Agent Smith has been used for such purposes.

In recent years, multiple similar malware variants have been detected infecting Android systems, such as the popular CopyCat, Gooligan and HummingBad. These three malicious apps infected thousands of devices to generate revenue close to $1M USD with fake advertising. 

Check Point’s system audit experts claim that Agent Smith was found in 9Apps, a popular third-party app store and focuses primarily on Russian, Hindi, Indonesian and Arabic speakers. Although most of the victims are in these countries, mainly in India, some cases have been identified in the U.S., Australia and the United Kingdom.

As a precautionary measure, the International Institute of Cyber Security (IICS) advises Android users not to install apps available outside the official Google Play Store platform, as it is common for apps developed by third parties they do not have the security measures required to block tools like those in Agent Smith code.

Finally, Check Point’s research revealed that, over the past month, the most commonly used malware variants detected were Lotoor, Triad and Ztorg. The main function of Lotoor is to display ads on the infected device; Triada is a modular backdoor for Android, while Ztorg is a malware to generate privileges escalations on the operating system that can also install other applications on the device.