More than 100,000 Australian Android users have had their devices infected with malware that replaces popular apps with fake versions serving up advertising, with more than 25 million incidents around the world.
Israeli cybersecurity firm Check Point Research released a report last week detailing the “Agent Smith” malware which it detected earlier this year, but was traced back to January 2016.
The app utilises a previously-known vulnerability in the Android operating system, disguising itself as a version of a popular app, including WhatsApp, and then serving up ads to the owner.
It does this by searching for legitimate apps on the device and replacing them with malware-infected versions.
The malware was downloaded from third-party app store 9Apps.com, not Google’s official Play store.
After it was downloaded, the malware would then infect the innocent apps, which would display advertising out of context.
The infected apps were found to usually be a phone utility, game or adult-themed applications.
The malware was being used for financial gain by the hackers, who would receive money every time someone clicked on the advertising.
But Check Point Research said there are “endless possibilities” for the vulnerability to be exploited in much more serious ways, such as banking credential theft and eavesdropping.
“Due to its ability to hide its icon from the launcher and impersonate any popular existing apps on a device, there are endless possibilities for this sort of malware to harm a user’s device,” the report said.
More than 15 million of the infected devices were found to be India, with 141,000 in Australia, 300,000 in the US and 137,000 in the UK.
Malware like this is typically focused on developing countries, making the spread of Agent Smith in the US, UK and Australia even more concerning.
Android users should update their phones immediately, and can search for the malicious apps by going to the Apps and Notifications section in Settings, tapping on the app information list, and searching for suspicious applications with names such as Google Updater, Google Installer for U, Google Powers and Google Installer.
These apps should be uninstalled.
“The malware attacks user-installed applications silently, making it challenging for common Android users to combat such threats on their own,” Check Point Software Technologies head of mobile threat detection research Jonathan Shimonovich said.
“Combining advanced threat prevention and threat intelligence while adopting a ‘hygiene first’ approach to safeguard digital assets is the best protection against invasive mobile malware attacks like Agent Smith.
“In addition, users should only be downloading apps from trusted app stores to mitigate the risk of infection, as third party app stores often lack the security measures required to block adware loaded apps.”
There needs to be a more cohesive effort to combat threats like this, Check Point Research said.
“The Agent Smith campaign serves as a sharp reminder that effort from system developers alone is not enough to build a secure Android ecosystem,” the report said.
“It requires attention and action from system developers, device manufacturers, app developers and users so that vulnerability fixes are patched, distributed, adopted and installed.”
The cybersecurity firm connected the malware to a Chinese internet company based in Guangzhou, with its front-end genuine business helping Chinese Android developers to publish and promote their apps on overseas platforms.
Agent Smith was also found to resemble previous malware found on Android devices, like Gooligan, Hummingbad and CopyCat.
It also follows revelations last year that Android users were downloading malware-infested versions of the popular game Fortnite.
Android apps have also been found to automatically share user data with Facebook without the permission of users, according to a Privacy International report earlier this year.