In AppSealing Blog

Agent Smith comes across as the new malware which has taken the mobile app world by storm, infecting 25 million Android devices across the globe. The security firm Check Point found this malware – inspired by the movie Matrix’s antagonist – which went undetected from January 2016 and spread innocuously through various distribution channels like 9Apps. It has managed to morph into different avatars – starting from distribution through boobytrapped apps in 9Apps, and then appearing in Google Play. It is astonishing to note that two apps that were infected with the malware had hit the 10 million mark in terms of downloads, indicating its reach and damage it could cause.

Mode of Operation

Agent Smith adopts a unique methodology to infect apps and derives strength from its mode of a stealth operation. It sneakily exploits known Android vulnerabilities, such as Janus, Bundle, and Man-in-the-Disk, to initiate a multi-stage infection process and creates a compromised version of the legitimate app without the user’s knowledge. The installed apps on the user’s mobile device are replaced with malicious versions without seeking the user running any commands.

Agent Smith’s modus operandi is so secretive that the infected app does not display its icon in the app launcher screen (as with other apps) and impersonates any popular application, such as WhatsApp, to launch. This way it causes wideranging repercussions stealthily. Extracting the base APK of the source app, the malware inserts malicious modules and installs the infected APK back to the device through an update from Play Store.

Infection Process

The team behind this malware exploited malicious code hidden in games and adult-themed apps. When users download them, the infected app pulls another APK which contained Agent Smith malware. Once installed, Agent Smith scans apps already installed on the phone and, based on a list of target apps, replaces them with infected clones. This process itself is very complex, as malicious code is injected into a legitimate app without impacting its MD5 file hash. Agent Smith triggers an update of the infected app and blocks any future app updates, thus cementing its position in the user’s device.

Since it compromises the device as a whole, Agent Smith has the ability to show clickbaits and fraud ads for deliberate financial gains to the hackers and can harm your potential and legitimate revenue from your app. This way it forces the infected app to display more adverts or steal credits for ads that were already served by your server. It is frightening to note that the malware’s capabilities can easily extend to stealing sensitive information, such as personally identifiable information and financial transaction data.

Source and Impact Points

According to Checkpoint, Agent Smith’s source can be traced back to a Chinese company in Guangzhou that assists developers to publish their apps on overseas platforms. Though the damage caused has been so far minimal, the compromised apps could prove to be more annoying and harmful, like initiating banking credential theft and eavesdropping. Though the Checkpoint research team has submitted its findings to Google and as on date, all malicious apps have been removed from Play Store, the message is loud and clear: Your business is at grave risk if you do not implement a sturdy security framework, like AppSealing.

AppSealing’s Robust Security Framework

With the advent of the agile development cycle, developers should apply robust security measures regularly to keep their apps up-to-date with the latest patches, which can then be deployed quickly to protect your esteemed customers from emerging threat vectors, like Agent Smith.

Tools like AppSealing also come in handy in providing all-round protection for your apps against such cheating tools and malware. The best way to be malware safe is to adopt “hygiene-first” approach. AppSealing provides you with RASP (Runtime Application Self-Protection) features, such as anti-debugging and anti-decompile protection, integrity protection, cheat tool detection, etc. without any extra effort to code security.

By securing the code through AppSealing, your development team will be able to secure the business-critical app and uphold the customer’s trust even in times of such a raging security threat environment. What differentiates AppSealing from other security tools is its seamless approach while integrating the developed codebase with the security layer within minutes. This is done without impacting the performance of the app.


Govindraj Basatwar, Global Business Head
Govindraj Basatwar, Global Business Head
A Techo-Commerical evangelist who create, develop, and execute a clear vision for teams. Successfully created a SaaS business model with multi Million Dollar revenues globally. Proven leadership track record of establishing foreign companies in India with market entering strategy, business plan, sales, and business development activities.

Leave a Comment

AppSealing release versionsOTT sector has exploded globally and so has hackers interest in it. Learn how to beat hackers to protect your revenue