S0440 Agent Smith
Agent Smith is mobile malware that generates financial gain by replacing legitimate applications on devices with malicious versions that include fraudulent ads. As of July 2019 Agent Smith had infected around 25 million devices, primarily targeting India though effects had been observed in other Asian countries as well as Saudi Arabia, the United Kingdom, and the United States.1
| Item | Value |
|---|---|
| ID | S0440 |
| Associated Names | |
| Type | MALWARE |
| Version | 1.0 |
| Created | 07 May 2020 |
| Last Modified | 17 June 2020 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| mobile | T1577 | Compromise Application Executable | Agent Smith can inject fraudulent ad modules into existing applications on a device.1 |
| mobile | T1404 | Exploitation for Privilege Escalation | Agent Smith exploits known OS vulnerabilities, including Janus, to replace legitimate applications with malicious versions.1 |
| mobile | T1643 | Generate Traffic from Victim | Agent Smith shows fraudulent ads to generate revenue.1 |
| mobile | T1628 | Hide Artifacts | - |
| mobile | T1628.001 | Suppress Application Icon | Agent Smith can hide its icon from the application launcher.1 |
| mobile | T1630 | Indicator Removal on Host | - |
| mobile | T1630.002 | File Deletion | Agent Smith deletes infected applications’ update packages when they are detected on the system, preventing updates.1 |
| mobile | T1406 | Obfuscated Files or Information | - |
| mobile | T1406.001 | Steganography | Agent Smith’s core malware is disguised as a JPG file, and encrypted with an XOR cipher.1 |
| mobile | T1424 | Process Discovery | Agent Smith checks if a targeted application is running in user-space prior to infection.1 |
| mobile | T1418 | Software Discovery | Agent Smith obtains the device’s application list.1 |