Android
Threat Guidances
Lookout
Malware
July 22, 2019

InfectedAds/AgentSmith RTD

How Lookout Detects and Protects Against Threats like ArmaSpy

Lookout Security Intelligence teams leverage both static and dynamic analysis with our machine learning engine to discover new threats. While ArmaSpy is a smaller and more targeted family, its unique heuristics and code structure are being analyzed against our data corpus of 170 million devices in order to get the most accurate understanding of the malware’s presence and evolution. Devices with Lookout installed have been protected against ArmaSpy since May 2019. Lookout also protects against other sophisticated malware that could normally go undetected.

Background and Discovery Timeline

In April 2019, Lookout researchers initially investigated InfectedAds (also known as AgentSmith), a family of applications that are able to infect programs installed on Android devices. This family can add its own components to a target Android Package (APK) without changing its digital signature. By doing so, it can install infected applications masked as an update to replace the original version of the application.

Infected versions of many applications such as HD Camera, Euro Farming Simulator, and others were found in 3rd party app stores and downloaded to thousands of devices.

Capabilities and Affected Parties

The infection process has three main stages. First, the victim installs a dropper app, which has a malicious Feng Shui Bundle encrypted in the asset folder. Then, the dropper decrypts and installs the core malware, which is later responsible for malicious patching and app updates. Finally, the main malware extracts the list of installed applications on the device. If they match with a pre-existing list, the malware will extract the base APK of the legitimate app and patch it with malicious ad modules. InfectedAds generates ads that can be used for financial gain by the attacker. However, the malware could easily be leveraged for much more dangerous activity such as stealing login credentials for banking, travel, or corporate apps because of its discreet nature.

Authors

Lookout

Cloud & Endpoint Security

Lookout is a cybersecurity company that makes it possible for tens of millions of individuals, enterprises and government agencies to be both mobile and secure. Powered by a dataset of virtually all the mobile code in the world -- 40 million apps and counting -- the Lookout Security Cloud can identify connections that would otherwise go unseen and predict and stop mobile attacks before they do harm. The world’s leading mobile network operators, including AT&T, Deutsche Telekom, EE, KDDI, Orange, Sprint, T-Mobile and Telstra, have selected Lookout as its preferred mobile security solution. Lookout is also partnered with such enterprise leaders as AirWatch, Ingram Micro, Microsoft, and MobileIron. Headquartered in San Francisco, Lookout has offices in Amsterdam, Boston, London, Sydney, Tokyo, Toronto and Washington, D.C.

Platform(s) Affected
Android
Entry Type
Threat Guidances
Discovered By
Lookout
Threat Type
Malware
Platform(s) Affected
Android
Threat Guidances
Lookout
Malware

Related Content

BancaMarStealer

A customizable Malware-as-a-Service banking trojan delivered through any app with messaging capabilities.

Read Threat Article

Lookout Phishing AI Discovers Campaign Targeting Verizon Employees

Phishing AI discovered this campaign targeting Verizon employees on mobile devices.

Read Threat Article

Lookout Discovers Android Spyware Tied to Iranian Police Targeting Minorities: BouldSpy

Researchers at the Lookout Threat Lab have discovered a new Android surveillance tied to the Law Enforcement Command of the Islamic Republic of Iran (FARAJA).

Read Threat Article

Stop Cyberattacks Before They Start With Industry-Leading Threat Intelligence.

Schedule Demo
HeaderHeaderHeaderHeader
CellCellCellCell
CellCellCellCell
CellCellCellCell
CellCellCellCell