AgentSmith – A New species of Mobile Malware

Aviran Hazum /Checkpoint

With the current application monetization tools and the goal of malicious actors to gain a financial edge, there is no surprise that there are massive adware campaigns in-the-wild. Those campaigns exploit the CPM model and committing malicious activities in order to get as many victims as possible into their pool of impressions, clicks, and revenue.

‘AgentSmith’ is an adware campaign, discovered recently by Check Point researchers. With the usage of vulnerabilities such as Feng-Shui Bundle, Janus, and Man-in-the-Disk, this malware campaign clawed itself into over 25 million unique Android devices, displaying ads and generating revenue for the actor behind it. With a unique On-Device, Just-In-Time approach, this malware decompiles, alter the code, and compile existing applications on the infected device, turning them into adware.

The actor operating ‘AgentSmith’ is hiding behind a front – a company that helps eastern developers reach into western markets. This operation allows the actor to get his hands on legitimate applications, and insert their malicious code into them, turning the application into a delivery method into victims’ devices. With a 3-stage infection chain, a large infrastructure to monitor activities, and a dynamic pray-list, ‘AgentSmith’ was able to not only infect existing applications but to also interfere with auto-update mechanisms to keep the device in the large botnet pool for as long as possible.

In this talk, we will discuss the evolution of mobile malware, the unique capabilities, methodologies, and approaches observed in the ‘AgentSmtih’ campaign, and provide insight into our investigation.

November 8 at 14:30 - 15:00, Stage A

Aviran Hazum After finishing his B.Sc in computer science at the age of 18, Aviran joined IDF’s 8200 for 7 years. With over 10 years of experience and a mindset of an attacker, Aviran’s is now leading the mobile’s threat intelligence team at Check Point, and is now focused on campaign hunting on the mobile front