It has been reported that as many as 25 million Android phones have been hit with malware that replaces installed apps like WhatsApp with evil versions that serve up adverts according to Check Point. Dubbed Agent Smith, the malware abuses previously-known weaknesses in the Android operating system, making updating to the latest, patched version of Google’s operating system a priority. The malware has spread via a third party app store 9apps.com, which is owned by China’s Alibaba, rather than the official Google Play store.
Most victims are based in India, where as many as 15 million were infected. But there are more than 300,000 in the U.S., with another 137,000 in the U.K., making this one of the more severe threats to have hit Google’s operating system in recent memory.
Boris Cipot, Senior Security Engineer at Synopsys:
“Rogue software posing as the original, legitimate piece of software with the intention of luring users to install it and therefore infect their computers is a common practice criminals use. With the most modern mobile devices, downloading and installing apps is essentially a 5-second act which makes the risk of installing malware even bigger if you’re not careful—once you’ve confirmed the install, it’s too late to change your mind.
The potential to use software and functionalities from millions of developers—and for free in many cases—is a widely accepted practice. With this there are also hidden dangers afoot. An attacker has access to many user interaction points. This can help them to promote malware to users. Since users often do not check details around what software is being used within the app and who created it, attackers have many opportunities to push their malware on user devices.
App stores make their best effort to promote software from developers, communities, and companies alike. Some have firm rules around software development principles and naming conventions (and more) minimising the likelihood of malicious actors’ ability to place rouge applications within app stores. However, not all stores enforce such stringent rules; thus, allowing an opening for attack.
One way to remain vigilant against attacks is to only use app stores with strict application development policies and reviews. Be observant and cautious with regard to what you install on your mobile devices. Before confirming installation, have a look to see where the app comes from, if there are reliable sources reviewing the app, and investigate the default permissions. For instance, if a flashlight app asks permission to access your contacts, this should raise red flags. In such a case, be safe and don’t confirm the install.”
Dr Darren Williams, Founder and CEO at BlackFog:
“As the news breaks that 25 million Android phones have been infected with malware that replaces installed apps like WhatsApp with fake versions that serve up malicious adverts, it highlights the threat of ‘malvertising’ which has been steadily growing over the last few years. It can be extremely difficult for the average consumer to identify a malicious advert, because they often appear via legitimate and reputable advertising networks – or apps, like has happened here.
“Consumers need to be more vigilant about the apps which they are downloading onto their phones – many mobile applications collect information about what users are doing, and what many users don’t realise is that they’re the subject of unauthorised data collection each time they go online. They are at the mercy of malicious actors. That’s why consumers need to protect themselves to stop falling victims to these sophisticated attacks and prevent any personal data from leaving their devices.”
John Gunn, CMO at OneSpan:
“The primary battlefield in the hacking wars has shifted to the mobile device. Criminal hacking organizations are relentless in creating novel ways to use social engineering and compromised apps as the first stage in their attacks. Intelligent firms with a strong security posture can still readily defend their transactions with a combination of application shielding, continuous monitoring of user devices, and biometric authentication with risk analysis.”