Track Common Adversary Tasks Performed Using Agent Smith

Presented by: Ashwin (Microsoft Azure MVP)

Agent Smith is mobile malware that generates financial gain by replacing legitimate applications on devices with malicious versions that include fraudulent ads. As of July 2019 Agent Smith had infected around 25 million devices, primarily targeting India though effects had been observed in other Asian countries as well as Saudi Arabia, the United Kingdom, and the United States.


MITRE ATT&CK® Matrix for Enterprise

Now, let's see the details around the series of events associated with this software in chronological order, and how we can work to mitigate or detect these threats.

Compromise Application Executable


Agent Smith can inject fraudulent ad modules into existing applications on a device.

Adversaries may modify applications installed on a device to establish persistent access to a victim. These malicious modifications can be used to make legitimate applications carry out adversary tasks when these applications are in use.

There are multiple ways an adversary can inject malicious code into applications. One method is by taking advantages of device vulnerabilities, the most well-known being Janus, an Android vulnerability that allows adversaries to add extra bytes to APK (application) and DEX (executable) files without affecting the file's signature. By being able to add arbitrary bytes to valid applications, attackers can seamlessly inject code into genuine executables without the user's knowledge.

Adversaries may also rebuild applications to include malicious modifications. This can be achieved by decompiling the genuine application, merging it with the malicious code, and recompiling it.

Adversaries may also take action to conceal modifications to application executables and bypass user consent. These actions include altering modifications to appear as an update or exploiting vulnerabilities that allow activities of the malicious application to run inside a system application.

Security Updates

Security updates frequently contain patches to vulnerabilities.

Use Recent OS Version

Many vulnerabilities related to injecting code into existing applications have been patched in previous Android releases.

This behavior is seamless to the user and is typically undetectable.

Exploitation for Privilege Escalation

Privilege Escalation

Agent Smith exploits known OS vulnerabilities, including Janus, to replace legitimate applications with malicious versions.

Adversaries may exploit software vulnerabilities in order to to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in an application, service, within the operating system software, or kernel itself to execute adversary-controlled code. Security constructions, such as permission levels, will often hinder access to information and use of certain techniques. Adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.

When initially gaining access to a device, an adversary may be operating within a lower privileged process which will prevent them from accessing certain resources on the system. Vulnerabilities may exist, usually in operating system components and applications running at higher permissions, that can be exploited to gain higher levels of access on the system. This could enable someone to move from unprivileged or user- level permission to root permissions depending on the component that is vulnerable.


Device attestation can often detect jailbroken or rooted devices.

Deploy Compromised Device Detection Method

Mobile security products can potentially detect jailbroken or rooted devices.

Security Updates

Security updates often contain patches for vulnerabilities.

Mobile security products can potentially utilize device APIs to determine if a device has been rooted or jailbroken. Application vetting services could potentially determine if an application contains code designed to exploit vulnerabilities.

Obfuscated Files or Information

Defense Evasion


Agent Smith’s core malware is disguised as a JPG file, and encrypted with an XOR cipher.

Adversaries may use steganography techniques in order to prevent the detection of hidden information. Steganographic techniques can be used to hide data in digital media such as images, audio tracks, video clips, or text files.

This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.

Detection of steganography is difficult unless detectable artifacts with a known signature are left behind by the obfuscation process. Look for strings are other signatures left in system artifacts related to decoding steganography.

Hide Artifacts

Defense Evasion

Suppress Application Icon

Agent Smith can hide its icon from the application launcher.

A malicious application could suppress its icon from being displayed to the user in the application launcher. This hides the fact that it is installed, and can make it more difficult for the user to uninstall the application. Hiding the application's icon programmatically does not require any special permissions.

This behavior has been seen in the BankBot/Spy Banker family of malware.

Beginning in Android 10, changes were introduced to inhibit malicious applications’ ability to hide their icon. If an app is a system app, requests no permissions, or does not have a launcher activity, the application’s icon will be fully hidden. Further, if the device is fully managed or the application is in a work profile, the icon will be fully hidden. Otherwise, a synthesized activity is shown, which is a launcher icon that represents the app’s details page in the system settings. If the user clicks the synthesized activity in the launcher, they are taken to the application’s details page in the system settings

Use Recent OS Version

Android 10 introduced changes to prevent malicious applications from fully suppressing their icon in the launcher.

User Guidance

Users should be shown what a synthetic activity looks like so they can scrutinize them in the future.

The user can examine the list of all installed applications, including those with a suppressed icon, in the device settings. If the user is redirected to the device settings when tapping an application’s icon, they should inspect the application to ensure it is genuine. Application vetting services could potentially detect the usage of APIs intended for suppressing the application’s icon.

Indicator Removal on Host

Defense Evasion

File Deletion

Agent Smith deletes infected applications’ update packages when they are detected on the system, preventing updates.

Adversaries may wipe a device or delete individual files in order to manipulate external outcomes or hide activity. An application must have administrator access to fully wipe the device, while individual files may not require special permissions to delete depending on their storage location.

Stored data could include a variety of file formats, such as Office files, databases, stored emails, and custom file formats. The impact file deletion will have depends on the type of data as well as the goals and objectives of the adversary, but can include deleting update files to evade detection or deleting attacker-specified files for impact.

User Guidance

Users should be trained on what device administrator permission request prompts look like, and how to avoid granting permissions on phishing popups.

Mobile security products can detect which applications can request device administrator permissions. Users can view applications with administrator access through the device settings, and may also notice if user data is inexplicably missing. Application vetting services could be extra scrutinous of applications that request device administrator permissions.

Software Discovery


Agent Smith obtains the device’s application list.

Adversaries may attempt to get a listing of applications that are installed on a device. Adversaries may use the information from Software Discovery during automated discovery to shape follow-on behaviors, including whether or not to fully infect the target and/or attempts specific actions.

Adversaries may attempt to enumerate applications for a variety of reasons, such as figuring out what security measures are present or to identify the presence of target applications.

Use Recent OS Version

Android 11 introduced privacy enhancements to package visibility, filtering results that are returned from the package manager. iOS 12 removed the private API that could previously be used to list installed applications on non-app store applications.

User Guidance

iOS users should be instructed to not download applications from unofficial sources, as applications distributed via the Apple App Store cannot list installed applications on a device.

Application vetting services could look for the Android permission android.permission.QUERY_ALL_PACKAGES, and apply extra scrutiny to applications that request it. On iOS, application vetting services could look for usage of the private API LSApplicationWorkspace and apply extra scrutiny to applications that employ it.

Process Discovery


Agent Smith checks if a targeted application is running in user-space prior to infection.

Adversaries may attempt to get information about running processes on a device. Information obtained could be used to gain an understanding of common software/applications running on devices within a network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.

Recent Android security enhancements have made it more difficult to obtain a list of running processes. On Android 7 and later, there is no way for an application to obtain the process list without abusing elevated privileges. This is due to the Android kernel utilizing the hidepid mount feature. Prior to Android 7, applications could utilize the ps command or examine the /proc directory on the device.

In iOS, applications have previously been able to use the sysctl command to obtain a list of running processes. This functionality has been removed in later iOS versions.


Attestation can typically detect rooted devices. For MDM-enrolled devices, action can be taken if a device fails an attestation check.

Use Recent OS Version

Android 7 and later iOS versions introduced changes that prevent applications from performing Process Discovery without elevated privileges.

Mobile security products can typically detect rooted devices, which is an indication that Process Discovery is possible. Application vetting could potentially detect when applications attempt to abuse root access or root the system itself. Further, application vetting services could look for attempted usage of legacy process discovery mechanisms, such as the usage of ps or inspection of the /proc directory.

Generate Traffic from Victim


Agent Smith shows fraudulent ads to generate revenue.

Adversaries may generate outbound traffic from devices. This is typically performed to manipulate external outcomes, such as to achieve carrier billing fraud or to manipulate app store rankings or ratings. Outbound traffic is typically generated as SMS messages or general web traffic, but may take other forms as well.

If done via SMS messages, Android apps must hold the SEND_SMS permission. Additionally, sending an SMS message requires user consent if the recipient is a premium number. Applications cannot send SMS messages on iOS

User Guidance

Users should be advised that applications generally do not require permission to send SMS messages.

On Android, users can review which applications can use premium SMS features in the "Special access" page within application settings. Application vetting services can detect when applications request the SEND_SMS permission, which should be infrequently used.