A newly discovered piece of Android malware which replaces portions of app code with its own code has quietly infected more than 25 million – of which 15 million devices are in India. Disguised as a Google-related app, the malware “exploits known Android vulnerabilities and automatically replaces apps with malicious versions without the users’ interaction or knowledge.” The primary victims are Indians, and also Pakistan and Bangladesh. The malware was downloaded from 9Apps – a third-party app store backed by UC Web – and targeted mostly Hindi, Arabic, Russian, and Indonesian speaking users. Dubbed “Agent Smith”, the malware seems to mainly India users, says Counter Point. It’s worth noting that one of UC Web’s popular products in UC Browser, and it has a strong presence in India, China, and Indonesia.

The malware was being used for financial gain via malicious ads, but could be used for more intrusive and harmful purposes such as banking credential theft, said Check Point. The malware is hidden inside “barely functioning photo utility, games, and sex related apps”. The majority of these apps are games, and others are related to adult entertainment, media players, photo utilities, and system utilities. After it was downloaded, the malware would disguise itself as “Google Updater” and with the icon hidden. The malware also tries to look for popular apps like WhatsApp, Lenovo AnyShare, SHAREitJio Play, Jio Chat, Jio Join, Opera Mini, Hotstar, Flipkart, Xender, Truecaller, among others, and then replaces portions of their code and prevents them from being updated automatically.

Among smartphone brands, Samsung saw the largest infections – making up for 26% of infections. This was followed by Xiaomi, Vivo, itel, Micromax, and others. The infections were mainly reported on devices running Android 5 and 6, with most infections lasting for a period of at least two months.

Infected apps found on Google Play Store as well

In the recent months, Check Point has also discovered 11 infected apps on the Google Play Store that contained malicious but dormant components used in Agent Smith. According to the researchers, this suggests that the hackers are beginning to use Google’s own app distribution platform to spread adware. Google has since taken down the apps after Check Point reported their findings.