Agent Smith Malware Infecting Android Apps

Malware replacing legitimate Android apps on 25 million devices, and a Magecart campaign containing 17,000 domains on its Amazon bucket list highlight another busy week on the cybersecurity front.

Android malware, named Agent Smith, which replaces portions of apps with its own code, infected more than 25 million devices, according to researchers at security firm Check Point. Agent Smith replaces legitimate apps such as WhatsApp, Opera Mini, or Flipkart, in order to inject a flood of ads, or takes credit for the ads already displayed, so the malware’s operator can profit off the fraudulent views.

The malware so far has claimed over 25 million victims, according to the Check Point, mainly devices in India (15.2 million), Bangladesh (2.5 million), and Pakistan (1.7 million), for a period of at least two months. Agent Smith’s current form malware first appeared in early 2018, distributed via boobytrapped Android apps uploaded through third-party app store 9Apps, which is popular in that region.

Check Point said the malware did immigrate to the U.S. where it infected more than 300,000 devices, and expanded into the Google Play Store with about a dozen scaled down apps before Google removed the discovered malicious apps.

According to a Check Point blog, Agent Smith could easily turn to more intrusive and harmful purposes such as banking credential theft and eavesdropping.

“This application was as malicious as they come,” Check Point wrote. According to the researchers, the malware origination appears to come from a Chinese company that claims to help developers publish their apps internationally.

“The primary battlefield in the hacking wars has shifted to the mobile device. Criminal hacking organizations are relentless in creating novel ways to use social engineering and compromised apps as the first stage in their attacks.” John Gunn, chief marketing officer of OneSpan, said.

Ido Safruti, chief technology officer and co-founder of PerimeterX, also commented: “We see these phenomena of infected ‘fake’ mobile apps, as well as infected ‘fake’ browser extensions, as a common and tricky way of distributing malware that can result in botnets that run on actual user devices.” Safruti warned in many cases scammers use fake apps to create phony accounts on different services, and in large account takeover campaigns.

San Francisco-based digital-threat-management solutions provider RiskIQ’s in its latest research continued its study of Magecart gangs, which is blamed for causing at least 319,000 cyberincidents in 2018, including many digital credit card-skimming attacks, and the British Airways, Newegg and Ticketmaster breaches. More recently Magecart also claimed bedding retailers MyPillow and Amerisleep, and the Atlanta Hawks basketball team as victims.

Magecart gangs, which encompasses at least seven different cybercriminal groups, often use a script, which basically work like a card skimmer mounted on a physical card terminal. With the malicious script, hackers can lift electronic payment information in real time during checkout.

In May, RiskIQ covered the latest mass compromise of third-party web suppliers by a Magecart group, which injected skimmer code on possibly thousands of websites.

“However, the actual scale of this campaign and the number of sites affected is much larger than previously reported,” Yonathan Klijnsma, RiskIQ’s head threat researcher behind the report, “The actors behind these compromises have automated the process of compromising websites with skimmers by actively scanning for unsecured Amazon S3 buckets.” This technique is possible because of the misconfigured permissions on the S3 bucket, which grants the write permission to anyone, Klijnsma wrote.

RiskIQ has been monitoring the compromise of S3 buckets since the beginning of the latest Magecart campaign, which started in early April 2019. They have been working with Amazon and affected parties to address Magecart injections and unsecured S3 buckets they observe them.

According to RiskIQ, these actors automatically scan for buckets which are misconfigured to allow anyone to view and edit the files it contains. Once the attackers find a misconfigured bucket, they scan for any JavaScript file (ending in .js). They then download these JavaScript files, append their skimming code to the bottom, and overwrite the script on the bucket.

These attackers have been active in web skimming for a long time using other techniques, but they started compromising unsecured S3 buckets in early April. According to RiskIQ data, the group has managed to compromise a vast collection of S3 buckets to impact well over 17,000 domains. This list includes websites in the top 2,000 of Alexa rankings as well.

Klijnsma noted the attackers sacrificed targeting in favor of reach to cast as wide a net as possible, so many of the compromised scripts do not load on payment pages. “However, the ease of compromise that comes from finding open S3 buckets means that even if only a fraction of their skimmer injections returns payment data, it will be worth it; they will have a substantial return on investment.”

Deepak Patel, security evangelist at PerimeterX, said, “Make no mistake, Magecart attacks are only accelerating. Digital skimming is the fastest growing attack type because cybercriminals always follow the money. Enterprises need to better protect their web properties from client-side attacks to prevent the risk of massive fines, as in the case of the British Airways GDPR fine, and damage to brand reputation.”