S0440: Agent Smith
Agent Smith is mobile malware that generates financial gain by replacing legitimate applications on devices with malicious versions that include fraudulent ads. As of July 2019 Agent Smith had infected around 25 million devices, primarily targeting India though effects had been observed in other Asian countries as well as Saudi Arabia, the United Kingdom, and the United States.[1]
Analyst context for executives and security teams
Agent Smith matters because it shows how Android malware can turn trusted-looking mobile apps into a business risk: legitimate applications may be replaced or mimicked by malicious versions that generate fraudulent advertising traffic. For leaders, the issue is not only ad fraud; it is whether the organization can see what is installed on managed Android devices, validate app integrity, and respond when mobile software behaves differently than expected.
Executive priority
Prioritize Agent Smith as a mobile application integrity and device governance scenario. Executives should ask whether Android devices used for work have enforceable app-source controls, patch expectations, inventory evidence, and an incident process for compromised or repackaged apps. This is especially relevant for compliance evidence around mobile device management, acceptable software, vulnerability remediation, and SOC visibility. MITRE notes broad historical scale as of July 2019, but the supplied object does not support any claim of current activity or customer exposure.
Technical view
SOC, mobile security, and IR teams should validate coverage against the supplied Android behaviors and relationships: exploitation for privilege escalation, software and process discovery, compromising application executables, hiding an application icon, deleting files, generating outbound victim traffic, steganography, and matching legitimate names or locations. Because ATT&CK provides no official detection text for this object, teams should map detections to observable Android evidence rather than assuming malware-family-specific coverage.
Likely telemetry
- Android device and application inventory from MDM, EMM, or mobile security tooling
- Application install, update, removal, package name, version, certificate, and hash metadata
- Signals of repackaged or modified APKs, including mismatched signing certificates or unexpected application locations/names
- Launcher visibility and application icon state where available
- Permission requests and changes, especially permissions relevant to traffic generation or file access
Detection direction
- Start with asset and app inventory quality: detection is weak if the organization cannot identify installed Android packages, app provenance, signing metadata, and managed versus unmanaged devices.
- Tune for applications that imitate legitimate names, icons, package naming patterns, or locations, while accounting for legitimate regional, OEM, and enterprise app variants to reduce false positives.
- Correlate suspicious app replacement or modification with discovery behavior, hidden launcher presence, file deletion, privilege-escalation indicators, and unusual outbound traffic rather than relying on one signal.
- Review mobile network analytics for unexpected advertising or web traffic generated by endpoints, but treat traffic alone as insufficient without app and device context.
- Validate whether SOC workflows receive mobile telemetry at all; a common blind spot is that mobile device events stay in MDM consoles and are not normalized into SIEM or incident queues.
Mitigation priorities
- Enforce managed Android device enrollment and maintain accurate inventory for work-accessing devices.
- Restrict application sources and approve business applications through controlled distribution where practical.
- Maintain Android OS and application patching to reduce exposure to privilege-escalation paths referenced by T1404.
- Use application integrity checks, certificate validation, and mobile threat protection or equivalent controls to identify repackaged or modified apps.
- Limit unnecessary permissions and review applications that can generate traffic, access files, or hide user-facing presence.
Analyst notes and limits
This take is based on MITRE ATT&CK S0440 Agent Smith, its official description, the Check Point external reference listed by MITRE, and the supplied relationships to mobile ATT&CK techniques. The object is Android-specific and has no aliases, labels, explicit tactics, or official detection guidance in the provided fields.
The supplied data does not establish current exploitation, attribution, specific indicators, affected enterprise environments, or guaranteed detection methods. Local device management scope, Android versions, app distribution model, and available mobile telemetry will determine practical coverage.
Agent Smith
Agent Smith is mobile malware that generates financial gain by replacing legitimate applications on devices with malicious versions that include fraudulent ads. As of July 2019 Agent Smith had infected around 25 million devices, primarily targeting India though effects had been observed in other Asian countries as well as Saudi Arabia, the United Kingdom, and the United States.[1]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Mobile | T1643 | Generate Traffic from Victim | Agent Smith shows fraudulent ads to generate revenue.CitationCheckPoint Agent Smith |
| Mobile | T1424 | Process Discovery | Agent Smith checks if a targeted application is running in user-space prior to infection.CitationCheckPoint Agent Smith |
| Mobile | T1418 | Software Discovery | Agent Smith obtains the device’s application list.CitationCheckPoint Agent Smith |
| Mobile | T1628.001 | Suppress Application Icon Sub-technique | Agent Smith can hide its icon from the application launcher.CitationCheckPoint Agent Smith |
| Mobile | T1630.002 | File Deletion Sub-technique | Agent Smith deletes infected applications’ update packages when they are detected on the system, preventing updates.CitationCheckPoint Agent Smith |
| Mobile | T1404 | Exploitation for Privilege Escalation | Agent Smith exploits known OS vulnerabilities, including Janus, to replace legitimate applications with malicious versions.CitationCheckPoint Agent Smith |
| Mobile | T1655.001 | Match Legitimate Name or Location Sub-technique | Agent Smith can impersonate any popular application on an infected device, and the core malware disguises itself as a legitimate Google application. Agent Smith's dropper is a weaponized legitimate Feng Shui Bundle.CitationCheckPoint Agent Smith |
| Mobile | T1577 | Compromise Application Executable | Agent Smith can inject fraudulent ad modules into existing applications on a device.CitationCheckPoint Agent Smith |
| Mobile | T1406.001 | Steganography Sub-technique | Agent Smith’s core malware is disguised as a JPG file, and encrypted with an XOR cipher.CitationCheckPoint Agent Smith |
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 4295d68885c5… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
CheckPoint Agent Smith
A. Hazum, F. He, I. Marom, B. Melnykov, A. Polkovnichenko. (2019, July 10). Agent Smith: A New Species of Mobile Malware. Retrieved May 7, 2020.
Open source URL -
[2]
mitre-attack S0440Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.