A Chinese company has 25 million Android devices tangled in an ad fraud scheme

Researchers declined to identify the company by name, citing an ongoing law enforcement investigation.
mobile device management

A malicious software campaign tied to a Chinese internet company has exploited known vulnerabilities in Android mobile phones to infect roughly 25 million devices as part of a far-reaching ad fraud scheme, according to findings published Wednesday by Check Point.

Hundreds of apps in a third-party Android marketplace disguised cocktails of malicious software that researchers say leveraged a number of known security issues to broadcast fraudulent advertisements. It’s only the latest example of near-daily revelations about apps acting in ways unwitting victims could not have anticipated — though this malicious activity is especially innovative.

The programs — which mostly masqueraded as gaming, adult entertainment or photo apps — also contained code that allowed scammers to reach into legitimate apps that already existed on a victims’ phone, and commandeer those apps to broadcast advertisements. By displaying banner ads to so many users, the fraudsters could charge real advertisers for access to millions of people.

Check Point tied the campaign, which it calls “Agent Smith,” to a Chinese internet company based in Guangzhou that works to help Chinese Android developers distribute their apps on the international markets. Researchers declined to identify the company by name, citing an ongoing law enforcement investigation.


About 360 of the problematic apps were hosted on the 9Apps store, which operates separately from the dominant Google Play Store. Google itself removed 11 apps from the Play Store containing a malicious but dormant software development kit that Check Point tied to the Agent Smith campaign.

Fifty-nine percent of the affected users are based in India. Check Point also found 303,000 infections in the U.S., 245,000 in Saudi Arabia, 141,000 in Australia and 137,000 in the U.K.

“By utilizing the same capability Agent Smith uses to target ads, you could also target banking apps to harvest credentials to gain access to people’s accounts or….implement spyware,” said Aviran Hazum, an analysis and response team leader at Check Point, during an interview. “Even with all those malicious possibilities, you still see them going for ads because it’s easy, stable and there’s more of a chance to make money.”

Researchers named the campaign Agent Smith after a character in “The Matrix” movie franchise who, as a computer virus, morphs into other characters for nefarious purposes.

Upon downloading one of the apps in question, users trigger a three-step infection process that activates an encrypted initial “dropper” file. Then, the dropper automatically decrypts, installing malware that’s typically disguised as a Google update. From there, the malware extracts the phone’s list of installed apps, and the accompanying Android application package. Finally, the malicious app will then “patch the APK with malicious ad modules, install the APK back and replace the original one as if it is an update,” Check Point found.


The effect, Hazum says, is for trustworthy apps like WhatsApp to suddenly blare advertisements while appearing to function normally.

“It makes it appear as an upgrade to the existing app,” he said. “If you have automatic updates on, you won’t even realize it’s been updated. And both versions of the app are working.”

Check Point’s research comes after CNET reported that more than 1,000 Android apps continue to collect user information even after that permission is denied. Last week, Trend Micro detailed roughly 100 Play Store apps that were little more than adware and, before that, Wandera detected a game that sought user’s Gmail credentials.

Jeff Stone

Written by Jeff Stone

Jeff Stone is the editor-in-chief of CyberScoop, with a special interest in cybercrime, disinformation and the U.S. justice system. He previously worked as an editor at the Wall Street Journal, and covered technology policy for sites including the Christian Science Monitor and the International Business Times.

Latest Podcasts