{ "id": "01c546af-80bc-48f3-a285-737be738ace8", "created_at": "2026-04-06T00:12:22.891006Z", "updated_at": "2026-04-10T03:30:33.512082Z", "deleted_at": null, "sha1_hash": "35e3e89e84f5c00c57532b214cf2df6460020913", "title": "Agent Smith: A New Species of Mobile Malware", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 98308, "plain_text": "Agent Smith: A New Species of Mobile Malware\r\nBy deugenio\r\nPublished: 2019-07-10 · Archived: 2026-04-05 20:55:39 UTC\r\nResearch by: Aviran Hazum, Feixiang He, Inbal Marom, Bogdan Melnykov, Andrey Polkovnichenko\r\nCheck Point Researchers recently discovered a new variant of mobile malware that quietly infected around 25\r\nmillion devices, while the user remains completely unaware. Disguised as Google related app, the core part of\r\nmalware exploits various known Android vulnerabilities and automatically replaces installed apps on the device\r\nwith malicious versions without the user’s interaction. This unique on-device, just-in-time (JIT) approach inspired\r\nresearchers to dub this malware as “Agent Smith”.\r\n“Agent Smith” currently uses its broad access to the device’s resources to show fraudulent ads for financial gain.\r\nThis activity resembles previous campaigns such as Gooligan, HummingBad and CopyCat. The primary targets,\r\nso far, are based in India though other Asian countries such as Pakistan and Bangladesh are also affected.\r\nIn a much-improved Android security environment, the actors behind Agent Smith seem to have moved into the\r\nmore complex world of constantly searching for new loopholes, such as Janus, Bundle and Man-in-the-Disk, to\r\nachieve a 3-stage infection chain, in order to build a botnet of controlled devices to earn profit for the perpetrator.\r\n“Agent Smith” is possibly the first campaign seen that ingrates and weaponized all these loopholes and are\r\ndescribed in detail below.\r\nIn this case, “Agent Smith” is being used to for financial gain through the use of malicious advertisements.\r\nHowever, it could easily be used for far more intrusive and harmful purposes such as banking credential theft.\r\nIndeed, due to its ability to hide it’s icon from the launcher and impersonates any popular existing apps on a\r\ndevice, there are endless possibilities for this sort of malware to harm a user’s device.\r\nCheck Point Research has submitted data to Google and law enforcement units to facilitate further investigation.\r\nAs a result, information related to the malicious actor is tentatively redacted in this publication. Check Point has\r\nworked closely with Google and at the time of publishing, no malicious apps remain on the Play Store.\r\nEncounter\r\nIn early 2019, the Check Point Research team observed a surge of Android malware attack attempts against users\r\nin India which had strong characteristics of Janus vulnerability abuse; All samples our team collected during\r\npreliminary investigation had the ability to hide their app icons and claim to be Google related updaters or\r\nvending modules (a key component of Google Play framework).\r\nUpon further analysis it became clear this application was as malicious as they come and initially resembled the\r\nCopyCat malware, discovered by Check Point Research back in April 2016. As the research progressed, it started\r\nto reveal unique characteristics which made us believe we were looking at an all-new malware campaign found in\r\nthe wild.\r\nhttps://research.checkpoint.com/2019/agent-smith-a-new-species-of-mobile-malware/\r\nPage 1 of 19\n\nAfter a series of technical analysis (which is covered in detail below) and heuristic threat hunting, we discovered\r\nthat a complete “Agent Smith” infection has three main phases:\r\n1. A dropper app lures victim to install itself voluntarily. The initial dropper has a weaponized Feng Shui\r\nBundle as encrypted asset files. Dropper variants are usually barely functioning photo utility, games, or sex\r\nrelated apps.\r\n2. The dropper automatically decrypts and installs its core malware APK which later conducts malicious\r\npatching and app updates. The core malware is usually disguised as Google Updater, Google Update for U\r\nor “com.google.vending”. The core malware’s icon is hidden.\r\n3. The core malware extracts the device’s installed app list. If it finds apps on its prey list (hard-coded or sent\r\nfrom C\u0026C server), it will extract the base APK of the target innocent app on the device, patch the APK\r\nwith malicious ads modules, install the APK back and replace the original one as if it is an update.\r\n“Agent Smith” repacks its prey apps at smali/baksmali code level. During the final update installation process, it\r\nrelies on the Janus vulnerability to bypass Android’s APK integrity checks. Upon kill chain completion, “Agent\r\nSmith” will then hijack compromised user apps to show ads. In certain situations, variants intercept compromised\r\napps’ original legitimate ads display events and report back to the intended ad-exchange with the “Agent Smith”\r\ncampaign hacker’s ad IDs.\r\nOur intelligence shows “Agent Smith” droppers proliferate through third-party app store “9Apps”, a UC team\r\nbacked store, targeted mostly at Indian (Hindi), Arabic, and Indonesian users. “Agent Smith” itself, though, seems\r\nto target mainly India users.\r\nUnlike previously discovered non Google Play centric campaigns whose victims almost exclusively come from\r\nless developed countries and regions, “Agent Smith” successfully penetrated into noticeable number of devices in\r\ndeveloped countries such as Saudi Arabia, UK and US.\r\n Diagram: Agent Smith’s Attack Flow\r\nTechnical Analysis\r\nhttps://research.checkpoint.com/2019/agent-smith-a-new-species-of-mobile-malware/\r\nPage 2 of 19\n\n“Agent Smith” has a modular structure and consists of the following modules:\r\nLoader\r\nCore\r\nBoot\r\nPatch\r\nAdSDK\r\nUpdater\r\nAs stated above, the first step of this infection chain is the dropper. The dropper is a repacked legitimate\r\napplication which contains an additional piece of code – “loader”.\r\nThe loader has a very simple purpose, extract and run the “core” module of “Agent Smith”. The “core” module\r\ncommunicates with the C\u0026C server, receiving the predetermined list of popular apps to scan the device for. If any\r\napplication from that list was found, it utilizes the Janus vulnerability to inject the “boot” module into the\r\nrepacked application. After the next run of the infected application, the “boot” module will run the “patch”\r\nmodule, which hooks the methods from known ad SDKs to its own implementation.\r\nFigure 1: ‘Agent Smith’s modular structure\r\nTechnical Analysis – Loader Module\r\n The “loader” module, as stated above, extracts and runs the “core” module. While the “core” module resides\r\ninside the APK file, it is encrypted and disguised as a JPG file – the first two bytes are actually the magic header\r\nof JPG files, while the rest of the data is encoded with an XOR cipher.\r\nFigure 2: “Agent Smith’s jpg file structure\r\nhttps://research.checkpoint.com/2019/agent-smith-a-new-species-of-mobile-malware/\r\nPage 3 of 19\n\nAfter the extraction, the “loader” module adds the code to the application while using the legitimate mechanism\r\nby Android to handle large DEX files.\r\nFigure 3: Loading core malicious code into the benign application\r\nOnce the “core” module is extracted and loaded, the “loader” uses the reflection technique to initialize and start\r\nthe “core” module.\r\nFigure 4: Loader calls initialization method\r\nTechnical Analysis – Core Module\r\nWith the main purpose of spreading the infection, “Agent Smith” implements in the “core” module:\r\n1. A series of ‘Bundle’ vulnerabilities, which is used to install applications without the victim’s awareness.\r\n2. The Janus vulnerability, which allows the actor to replace any application with an infected version.\r\nThe “core” module contacts the C\u0026C server, trying to get a fresh list of applications to search for, or if that fails,\r\nuse a default app list:\r\nwhatsapp\r\nlenovo.anyshare.gps\r\nmxtech.videoplayer.ad\r\njio.jioplay.tv\r\njio.media.jiobeats\r\njiochat.jiochatapp\r\njio.join\r\ngood.gamecollection\r\nopera.mini.native\r\nstartv.hotstar\r\nmeitu.beautyplusme\r\ndomobile.applock\r\nhttps://research.checkpoint.com/2019/agent-smith-a-new-species-of-mobile-malware/\r\nPage 4 of 19\n\ntouchtype.swiftkey\r\nflipkart.android\r\ncn.xender\r\neterno\r\ntruecaller\r\nFor each application on the list, the “core” module checks for a matching version and MD5 hash of the installed\r\napplication, and also checks for the application running in the user-space. If all conditions are met, “Agent Smith”\r\ntries to infect the application.\r\nThe “core” module will use one of two methods to infect the application – Decompile and Binary.\r\nThe decompile method is based on the fact that Android applications are Java-based, meaning it is possible to\r\nrecompile it. Therefore, “Agent Smith” decompiles both the original application and the malicious payload and\r\nfuses them together.\r\nFigure 5: core module mixes malicious payload with the original application\r\nWhile decompiling the original app, “Agent Smith” has the opportunity to modify the methods inside, replace\r\nsome of the methods in the original application that handles advertisement with its own code and focus on\r\nmethods communicating with ‘AdMob’, ‘Facebook’, ‘MoPub’ and ‘Unity Ads’.\r\nFigure 6: Targeted ad network\r\nFigure 7: Injection example\r\nAfter all of the required changes, “Agent Smith” compiles the application and builds a DEX file containing both\r\nthe original code of the original application and the malicious payload.\r\nhttps://research.checkpoint.com/2019/agent-smith-a-new-species-of-mobile-malware/\r\nPage 5 of 19\n\nIn some cases, the decompilation process will fail, and “Agent Smith” will try another method for infecting the\r\noriginal application – A binary patch, which simply provides a binary file of the “boot” module of “Agent Smith”.\r\nOnce the payload is prepared, “Agent Smith” uses it to build another APK file, exploiting the Janus vulnerability:\r\nFigure 8: The new infected APK file structure\r\nSolely injecting the code of the loader is not enough. As “Agent Smith” uses a modular approach, and as stated\r\nearlier, the original loader extracts everything from the assets, the usage of the Janus vulnerability can only change\r\nthe code of the original application, not the resources. This means that the only thing possible in this case is to\r\nreplace its DEX file.\r\nTo overcome this issue, “Agent Smith” found another solution. Seeing as the system loader of the DEX files\r\n(ART) fully ignores everything that goes after the data section, the patcher writes all of its resources right there.\r\nThis action changes the original file size of the DEX file, which makes the malicious resources a part of the DEX\r\nfile, a section that is ignored by the signature validation process.\r\nFigure 9: Malware secretly adds malicious resources to the DEX file\r\nNow, after the alteration of the original application, Android’s package manager will think that this is an update\r\nfor the application signed by the same certificate, but in reality, it will execute the malicious DEX file.\r\nEven now, this is still not enough. “Agent Smith” needs to be updated/installed without the user’s consent. To\r\nachieve this, “Agent Smith” utilizes a series of 1-day vulnerabilities, which allows any application to run an\r\nactivity inside a system application, even if this activity is not exported.\r\nThe malicious application sends a request to choose a network account, a specific account that can only be\r\nprocessed by authentication services exported by the malicious application. The system service\r\n‘AccountManagerService’ looks for the application that can process this request. While doing so, it will reach a\r\nservice exported by “Agent Smith”, and sends out an authentication request that would lead to a call to the\r\n‘addAccount’ method. Then, a request is formed in such a way that an activity that installs the application is\r\ncalled, bypassing all security checks.\r\nhttps://research.checkpoint.com/2019/agent-smith-a-new-species-of-mobile-malware/\r\nPage 6 of 19\n\nFigure 10: The algorithm of the malicious update, while “Agent Smith” updates application\r\nIf all that has failed, “Agent Smith” turns to Man-in-the-Disk vulnerability for ‘SHAREit’ or ‘Xender’\r\napplications. This is a very simple process, which is replacing their update file on SD card with its own malicious\r\npayload.\r\nFigure 11: ‘Agent Smith’ uses man-in-disk to install the malicious update\r\nTechnical Analysis – Boot Module\r\nThe “boot” module is basically another “loader” module, but this time it’s executed in the infected application.\r\nThe purpose of this module is to extract and execute a malicious payload – the “patch” module. The infected\r\napplication contains its payload inside the DEX file. All that is needed is to get the original size of the DEX file\r\nand read everything that comes after this offset.\r\nFigure 12: Boot module\r\nAfter the patch module is extracted, the “boot” module executes it, using the same method described in the\r\n“loader” module. The “boot” module has placeholder classes for the entry points of the infected applications. This\r\nallows the “boot” module to execute the payloads when the infected application is started.\r\nhttps://research.checkpoint.com/2019/agent-smith-a-new-species-of-mobile-malware/\r\nPage 7 of 19\n\nFigure 13: placeholder classes in Boot module\r\nTechnical Analysis – Patch Module\r\nWhen “Agent Smith” has reached its goal – a malicious payload running inside the original application, with\r\nhooks on various methods – at this point, everything lies with maintaining the required code in case of an update\r\nfor the original application.\r\nWhile investing a lot of resources in the development of this malware, the actor behind “Agent Smith” does not\r\nwant a real update to remove all of the changes made, so here is where the “patch” module comes in to play\r\nWith the sole purpose of disabling automatic updates for the infected application, this module observes the update\r\ndirectory for the original application and removes the file once it appears.\r\nAnother trick in “Agent Smith’s arsenal is to change the settings of the update timeout, making the original\r\napplication wait endlessly for the update check.\r\nhttps://research.checkpoint.com/2019/agent-smith-a-new-species-of-mobile-malware/\r\nPage 8 of 19\n\nFigure 14: disabling infected apps auto-update\r\nFigure 15: changing the settings of the update timeout\r\nThe Ad Displaying Payload\r\nFollowing all of the above, now is the time to take a look into the actual payload that displays ads to the victim.\r\nIn the injected payload, the module implements the method ‘callActivityOnCreate’. At any time an infected\r\napplication will create an activity, this method will be called, and call ‘requestAd’ from “Agent Smith’s code.\r\n“Agent Smith” will replace the original application’s activities with an in-house SDK’s activity, which will show\r\nthe banner received from the server.\r\nIn the case of the infected application not specified in the code, “Agent Smith” will simply show ads on the\r\nactivity being loaded.\r\nFigure 16: integrating an in-house ad SDK\r\nFigure 17: replacing original app activities with the malicious ad SDK activity\r\nhttps://research.checkpoint.com/2019/agent-smith-a-new-species-of-mobile-malware/\r\nPage 9 of 19\n\nFigure 18: the malware showing ads on any activity being loaded\r\nConnecting the Dots\r\nAs our malware sample analysis took the team closer to reveal the “Agent Smith” campaign in its entirety and it is\r\nhere that the C\u0026C server investigation enters the center stage.\r\nWe started with most frequently used C\u0026C domains “a***d.com”, “a***d.net”, and “a***d.org”. Among multiple\r\nsub-domains, “ad.a***d.org” and “gd.a***d.org” both historically resolved to the same suspicious IP address.\r\nThe reverse DNS history of this IP brought “ads.i***e.com” into our attention.\r\nAn extended malware hunting process returned to us a large set of “Agent Smith” dropper variants which helped\r\nus further deduce a relation among multiple C\u0026C server infrastructures. In a different period of the “Agent Smith”\r\ncampaign, droppers and core modules used various combinations of the “a***d” and “i***e” domains for\r\nmalicious operations such as prey list query, patch request and ads request.\r\nWith a bit of luck, we managed to find logs in which the evidence showed “Agent Smith’s C\u0026C front end\r\nroutinely distributes a workload between “w.h***g.com” and “tt.a***d.net”.\r\nAn in-depth understanding of the “Agent Smith’s campaign C\u0026C infrastructure enabled us to reach the conclusion\r\nthat the owner of “i***e.com”, “h***g.com” is the group of hackers behind “Agent Smith”.\r\nhttps://research.checkpoint.com/2019/agent-smith-a-new-species-of-mobile-malware/\r\nPage 10 of 19\n\nFigure 19: C\u0026C infrastructure diagram\r\nThe Infection Landscape\r\n“Agent Smith” droppers show a very greedy infection tactic. It’s not enough for this malware family to swap just\r\none innocent application with an infected double. It does so for each and every app on the device as long as the\r\npackage names are on its prey list.\r\nOver time, this campaign will also infect the same device, repeatedly, with the latest malicious patches. This lead\r\nus to estimate there to be over 2.8 billion infections in total, on around 25 Million unique devices, meaning that on\r\naverage, each victim would have suffered roughly 112 swaps of innocent applications.\r\nAs an initial attack vector, “Agent Smith” abuses the 9Apps market – with over 360 different dropper variants. To\r\nmaximize profit, variants with “MinSDK” or “OTA” SDK are present to further infect victims with other adware\r\nfamilies. The majority of droppers in 9Apps are games, while the rest fall into categories of adult entertainment,\r\nmedia player, photo utilities, and system utilities.\r\nFigure 20: dropper app category distribution\r\nAmong the vast number of variants, the top 5 most infectious droppers alone have been downloaded more than 7.8\r\nmillion times of the infection operations against innocent applications:\r\nhttps://research.checkpoint.com/2019/agent-smith-a-new-species-of-mobile-malware/\r\nPage 11 of 19\n\nFigure 21: Top 5 most infectious droppers\r\nThe “Agent Smith” campaign is primarily targeted at Indian users, who represent 59% of the impacted population.\r\nUnlike previously seen non-GP (Google Play) centric malware campaigns, “Agent Smith” has a significant impact\r\nupon not only developing countries but also some developed countries where GP is readily available. For\r\nexample, the US (with around 303k infections), Saudi Arabia (245k), Australia (141k) and the UK (137k).\r\nhttps://research.checkpoint.com/2019/agent-smith-a-new-species-of-mobile-malware/\r\nPage 12 of 19\n\nFigure 22: world infection heat map\r\nConsidering that India is by far the most infected county by “Agent Smith”, overall compromised device brand\r\ndistribution is heavily influenced by brand popularity among Indian Android users:\r\nhttps://research.checkpoint.com/2019/agent-smith-a-new-species-of-mobile-malware/\r\nPage 13 of 19\n\nFigure 23: infected brand distribution\r\nWhile most infections occurred on devices running Android 5 and 6, we also see a considerable number of\r\nsuccessful attacks against newer Android versions.\r\nIt is a worrying observation. AOSP patched the Janus vulnerability since version 7 by introducing APK Signature\r\nScheme V2. However, in order to block Janus abuse, app developers need to sign their apps with the new scheme\r\nso that Android framework security component could conduct integrity checks with enhanced features.\r\nFigure 25: infected Android version distribution\r\nTo further analyze “Agent Smith”’s infection landscape, we dived into the top 10 infected countries:\r\nCountry\r\nTotal\r\nDevices\r\nTotal Infection\r\nEvent Count\r\nAvg. App\r\nSwap Per\r\nDevice\r\nAvg.\r\nDroppers Per\r\nDevice\r\nAvg. Months\r\nDevice Remained\r\nInfected\r\nIndia 15,230,123 2,017,873,249 2.6 1.7 2.1\r\nBangladesh 2,539,913 208,026,886 2.4 1.5 2.2\r\nPakistan 1,686,216 94,296,907 2.4 1.6 2\r\nIndonesia 572,025 67,685,983 2 1.5 2.2\r\nNepal 469,274 44,961,341 2.4 1.6 2.4\r\nhttps://research.checkpoint.com/2019/agent-smith-a-new-species-of-mobile-malware/\r\nPage 14 of 19\n\nUS 302,852 19,327,093 1.7 1.4 1.8\r\nNigeria 287,167 21,278,498 2.4 1.3 2.3\r\nHungary 282,826 7,856,064 1.7 1.3 1.7\r\nSaudi\r\nArabia\r\n245,698 18,616,259 2.3 1.6 1.9\r\nMyanmar 234,338 9,729,572 1.5 1.4 1.9\r\n“Agent Smith” Timeline\r\nEarly signs of activity from the actor behind “Agent Smith” can be traced back to January 2016. We classify this\r\n40-month period into three main stages.\r\nJanuary 2016 – May 2018:\r\nIn this stage, “Agent Smith” hackers started to try out 9Apps as a distribution channel for their adware. During\r\nthis period, malware samples display some typical adware characteristics such as unnecessary permission\r\nrequirements and pop-up windows. During this time, “Agent Smith” hackers eventually built up a vast number of\r\napp presence on 9Apps, which later would serve as publication channels for evolved droppers. However, samples\r\ndon’t have key capabilities to infect innocent apps on victim devices yet.\r\nMay 2018 to April 2019:\r\nThis is the actual mature stage of “Agent Smith” campaign. From early 2018 prior to May, “Agent Smith” hackers\r\nstarted to experiment with Bundle Feng Shui, the key tool which gives “Agent Smith” malware family capabilities\r\nto infect innocent apps on the device. A series of pilot runs were executed. After some major upgrade, by mid-June, the “Agent Smith” campaign reached its peak. Its dropper family finished integration with Bundle Feng Shui\r\nand campaign C\u0026C infrastructure was shifted to AWS cloud. The Campaign achieved exponential growth from\r\nJune to December 2018 with the infection number staying stable into early 2019.\r\nPost-April 2019:\r\nStarting from early 2019, the new infection rate of “Agent Smith” dropped significantly. From early April, hackers\r\nstarted to build a new major update to the “Agent Smith” campaign under the name “leechsdk”.\r\nhttps://research.checkpoint.com/2019/agent-smith-a-new-species-of-mobile-malware/\r\nPage 15 of 19\n\nFigure 26: “Agent Smith” Campaign timeline\r\nGreater “Agent Smith” Campaign Discovery\r\nOrchestrating a successful 9Apps centric malware campaign, the actor behind “Agent Smith” established solid\r\nstrategies in malware proliferation and payload delivery. The actor also built solid backend infrastructures which\r\ncan handle high volume concurrent requests.\r\nDuring our extended threat hunting, we uncovered 11 apps on the Google Play store that contain a malicious yet\r\ndormant SDK related to “Agent Smith” actor. This discovery indicates the actor’s ambition in expanding\r\noperations into Google Play store with previous success experience from the main “Agent Smith” campaign.\r\nInstead of embedding core malware payload in droppers, the actor switches to a more low-key SDK approach. In\r\nthe dangerous module lies a kill switch logic which looks for the keyword “infect”. Once the keyword is present,\r\nthe SDK will switch from innocent ads server to malicious payload delivery ones. Hence, we name this new spin-off campaign as Jaguar Kill Switch. The below code snippet is currently isolated and dormant. In the future, it will\r\nbe invoked by malicious SDK during banner ads display.\r\nhttps://research.checkpoint.com/2019/agent-smith-a-new-species-of-mobile-malware/\r\nPage 16 of 19\n\nFigure 26: the kill switch code snippet\r\nEvidence implies that the “Agent Smith” actor is currently laying the groundwork, increasing its Google Play\r\npenetration rate and waiting for the right timing to kick off attacks. By the time of this publication, two Jaguar Kill\r\nSwitch infected app has reached 10 million downloads while others are still in their early stages.\r\nCheck Point Research reported these dangerous apps to Google upon discovery. Currently, all bespoke apps have\r\nbeen taken down from the Google Play store.\r\nhttps://research.checkpoint.com/2019/agent-smith-a-new-species-of-mobile-malware/\r\nPage 17 of 19\n\nFigure 28: Jaguar Kill Switch infected GP apps\r\nPeek Into the Actor\r\nBased on all of the above, we connected “Agent Smith” campaign to a Chinese internet company located in\r\nGuangzhou whose front end legitimate business is to help Chinese Android developers publish and promote their\r\napps on overseas platforms.\r\nVarious recruitment posts on Chinese job sites and Chinese National Enterprise Credit Information Public System\r\n(NECIPS) data led us one step further, linking the actor to its legal entity name. Interestingly, we uncovered\r\nseveral expired job posting of Android reverse engineer from the actor’s front business published in 2018 and\r\nhttps://research.checkpoint.com/2019/agent-smith-a-new-species-of-mobile-malware/\r\nPage 18 of 19\n\n2019. It seems that the people who filled these roles are key to “Agent Smith’s success, yet not quite necessary for\r\nactor’s legitimate side of business.\r\nWith a better understanding of the “Agent Smith” actor than we had in the initial phase of campaign hunting, we\r\nexamined the list of target innocent apps once again and discovered the actor’s unusual practices in choosing\r\ntargets. It seems, “Agent Smith” prey list does not only have popular yet Janus vulnerable apps to ensure high\r\nproliferation, but also contain competitor apps of actor’s legitimate business arm to suppress competition.\r\nConclusion\r\nAlthough the actor behind “Agent Smith” decided to make their illegally acquired profit by exploiting the use of\r\nads, another actor could easily take a more intrusive and harmful route. With the ability to hide its icon from the\r\nlauncher and hijack popular existing apps on a device, there are endless possibilities to harm a user’s digital even\r\nphysical security. Today this malware shows unwanted ads, tomorrow it could steal sensitive information; from\r\nprivate messages to banking credentials and much more.\r\nThe “Agent Smith” campaign serves as a sharp reminder that effort from system developers alone is not enough to\r\nbuild a secure Android eco-system. It requires attention and action from system developers, device manufacturers,\r\napp developers, and users, so that vulnerability fixes are patched, distributed, adopted and installed in time.\r\nIt is also another example for why organizations and consumers alike should have an advanced mobile threat\r\nprevention solution installed on the device to protect themselves against the possibility of unknowingly installing\r\nmalicious apps, even from trusted app stores.\r\nFor more information about how to keep your device protected, check out Sand Blast Mobile.\r\nSource: https://research.checkpoint.com/2019/agent-smith-a-new-species-of-mobile-malware/\r\nhttps://research.checkpoint.com/2019/agent-smith-a-new-species-of-mobile-malware/\r\nPage 19 of 19\n\nUnlike previously upon not only seen non-GP developing countries (Google Play) but also some centric malware developed countries campaigns, “Agent where GP Smith” has is readily available. a significant impact For\nexample, the US (with around 303k infections), Saudi Arabia (245k), Australia (141k) and the UK (137k).\n Page 12 of 19", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE", "Malpedia" ], "references": [ "https://research.checkpoint.com/2019/agent-smith-a-new-species-of-mobile-malware/" ], "report_names": [ "agent-smith-a-new-species-of-mobile-malware" ], "threat_actors": [ { "id": "0afff988-cf8a-443b-9e2e-8686e511d0ed", "created_at": "2023-01-06T13:46:38.45683Z", "updated_at": "2026-04-10T02:00:02.982791Z", "deleted_at": null, "main_name": "HummingBad", "aliases": [], "source_name": "MISPGALAXY:HummingBad", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "75108fc1-7f6a-450e-b024-10284f3f62bb", "created_at": "2024-11-01T02:00:52.756877Z", "updated_at": "2026-04-10T02:00:05.273746Z", "deleted_at": null, "main_name": "Play", "aliases": null, "source_name": "MITRE:Play", "tools": [ "Nltest", "AdFind", "PsExec", "Wevtutil", "Cobalt Strike", "Playcrypt", "Mimikatz" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434342, "ts_updated_at": 1775791833, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/35e3e89e84f5c00c57532b214cf2df6460020913.pdf", "text": "https://archive.orkl.eu/35e3e89e84f5c00c57532b214cf2df6460020913.txt", "img": "https://archive.orkl.eu/35e3e89e84f5c00c57532b214cf2df6460020913.jpg" } }