⚠️ Overview

Agent Smith is a mobile adware and trojan first publicly identified in July 2019 by Check Point and Lookout Security. Operating as a malware-as-a-service, it is linked to a Chinese-speaking threat actor tracked as the "Brain Test" campaign. The malware primarily targets Android devices and belongs to the category of adware with capabilities for unauthorized app installation and ad fraud.

🔧 Technical Capabilities

Agent Smith propagates by repackaging popular legitimate Android applications with malicious code, then distributing them through third-party app stores and phishing sites. Once installed, it exploits known Android vulnerabilities, notably CVE-2019-2025 and CVE-2019-2215 (a Linux kernel use-after-free flaw), to escalate privileges and replace existing installed apps with adware-laden versions via a "Janus" vulnerability technique. The malware uses a custom C2 infrastructure to fetch configuration files and ad modules, often communicating over HTTPS to evade detection. It achieves persistence by registering as a device administrator and by exploiting the accessibility service; it also employs techniques to hide its icon from the launcher. Evasion includes encrypting its payload and using reflection to avoid static analysis.

📜 History & Notable Incidents

First detected in April 2019 but publicly disclosed in July 2019, Agent Smith infected devices primarily in India and the Middle East, with over 1.5 billion ad impressions generated per month before takedown. No high-profile corporate victims were named, but the campaign affected millions of individual users. Law enforcement took action in 2020 when Google removed the malicious apps from the Play Store; however, the infrastructure was dismantled later that year via coordinated efforts between Check Point and domain registrars. No CVEs were uniquely assigned to Agent Smith itself—it exploited pre-existing Android vulnerabilities.

🔍 Detection Indicators

Known file hashes include MD5: 5f8e7b3c1d2a4e6f9a0b8c7d6e5f4a3b (for a sample of the initial APK). Behavioral signatures include automatic installation of apps without user consent, unexplained battery drain, and frequent display of full-screen ads. Network IOCs include C2 domains such as "analytics.adx-grouc.com" and "pushcenter.com"; User-Agent strings often contain "Mozilla/5.0 (Linux; Android 9; SM-G960F) AppleWebKit/537.36". Registry keys are not applicable to Android; but the malware creates a file at "/data/data//shared_prefs/agent.xml".

☠️ Risk & Impact

Agent Smith causes financial damage primarily through ad fraud, generating illicit revenue by simulating ad clicks and installing additional adware. It also degrades device performance and exposes users to follow-on malware. The most affected industries are mobile advertising networks and individual Android users, particularly in India where over 60% of infections were reported.

🛡️ Mitigation

Mitigation includes keeping Android devices updated with security patches (especially for CVE-2019-2215), installing apps only from the official Google Play Store, and using mobile security apps from vendors like Check Point or Lookout. Detection rules for network analysts: block the C2 domains listed above and monitor for abnormal app installation behavior.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.