Skip to content

S0440 Agent Smith

Agent Smith is mobile malware that generates financial gain by replacing legitimate applications on devices with malicious versions that include fraudulent ads. As of July 2019 Agent Smith had infected around 25 million devices, primarily targeting India though effects had been observed in other Asian countries as well as Saudi Arabia, the United Kingdom, and the United States.1

Item Value
ID S0440
Associated Names
Version 1.0
Created 07 May 2020
Last Modified 17 June 2020
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
mobile T1577 Compromise Application Executable Agent Smith can inject fraudulent ad modules into existing applications on a device.1
mobile T1404 Exploitation for Privilege Escalation Agent Smith exploits known OS vulnerabilities, including Janus, to replace legitimate applications with malicious versions.1
mobile T1643 Generate Traffic from Victim Agent Smith shows fraudulent ads to generate revenue.1
mobile T1628 Hide Artifacts -
mobile T1628.001 Suppress Application Icon Agent Smith can hide its icon from the application launcher.1
mobile T1630 Indicator Removal on Host -
mobile T1630.002 File Deletion Agent Smith deletes infected applications’ update packages when they are detected on the system, preventing updates.1
mobile T1406 Obfuscated Files or Information -
mobile T1406.001 Steganography Agent Smith’s core malware is disguised as a JPG file, and encrypted with an XOR cipher.1
mobile T1424 Process Discovery Agent Smith checks if a targeted application is running in user-space prior to infection.1
mobile T1418 Software Discovery Agent Smith obtains the device’s application list.1