25 Million Android Phones Hit With 'Agent Smith' Malware: What to Know

Israeli security researchers have discovered a new strain of adware that quietly infected an estimated 25 million outdated Android devices that loaded apps from third-party app stores.

Dubbed “Agent Smith” by security firm Check Point, the adware exploits known Android vulnerabilities to infect common mobile applications, such as WhatsApp, FlipKart or Opera Mini, that the user has already installed.

To prevent infection by Agent Smith or similar adware or malware, make sure that your Android device runs at least Android 7 Nougat. You should also go into Settings and make sure that the ability to install apps from "Unknown sources" is turned off. (This ability no longer exists in Android 8 Oreo and Android 9 Pie.)

The Agent Smith adware injects unwanted ads into an existing app and steals the financial gain from those that are already there. While that may sound fairly harmless, security researchers warn that the ability of this adware to hijack apps could lead to much more dangerous exploits. 

“Today this malware shows unwanted ads, tomorrow it could steal sensitive information; from private messages to banking credentials and much more,” Check Point wrote in a blog.

Most of the devices affected by Agent Smith are based in India as well as other South Asian countries, including Pakistan and Bangladesh. However, the adware has been found in devices all around the world, with more than 300,000 instances in the U.S., 245,000 in Saudi Arabia and more than 100,000 in Australia and the U.K. 

Phones used by South Asian expatriates may account for many of those instances, and it wasn't immediately clear how Check Point arrived at those numbers.

• The One Gmail Setting You Should Change Now

Most of the adware has spread through 9Apps, a third-party app store popular in India. But 11 apps found in the official Google Play store indicate that the adware could become more mainstream, as code related to the Agent Smith adware was found in those. 

According to Check Point, the group behind this adware is “currently laying the groundwork, increasing its Google Play penetration rate and waiting for the right timing to kick off attacks.” 

Most of the infections are on devices running Android 5 Lollipop and Android 6 Marshmallow, released in 2014 and 2015, respectively. However, Check Point also found that devices running newer versions of Android were being exploited, despite the fact that Android 7 Nougat patched the flaw that Agent Smith uses to infect already-installed apps.

The adware reportedly stems from a Chinese internet company located in Guangzhou that helps Chinese Android developers promote apps in other countries. The suspicious apps were removed from the Google Play store after Check Point reported them to Google. 

Check Point argues that adware like Agent Smith are why users should download a “mobile threat prevention solution” onto their devices. To protect your Android device from exploits like Agent Smith, be sure to download an Android antivirus app, keep your phone updated with the latest patches and turn off the ability to install apps from unknown sources.