When you think of malware, it's understandable if your mind first goes to elite hackers launching sophisticated dragnets. But unless you're being targeted by a nation-state or advanced crime syndicate, you're unlikely to encounter these ultratechnical threats yourself. Run-of-the-mill, profit-generating malware, on the other hand, is rampant. And the type you're most likely to encounter is adware.

In your daily life you probably don't think much about adware, software that illicitly sneaks ads into your apps and browsers as a way of generating bogus revenue. Remember pop-up ads? It's like that, but with special software running on your device, instead of rogue web scripts, throwing up the ads. Advertisers often pay out based on impressions, or the number of people who load their ads. So scammers have realized that the more ads they can foist upon you, the more money they pocket.

Ad It Up

Your smartphone offers attackers the perfect environment to unleash ad malware. Attackers can distribute apps tainted with adware through third-party app stores for Android and even sneak adware-laced apps into the Google Play Store or Apple's App Store. They can reach millions of devices quickly, lurking on your phone, say, while their servers spew ads that run in the background of your device or right on the screen. It doesn't require elaborate hacking techniques. It isn't trying to steal your money. At worst, it makes your device a little slower or forces you to close out some unexpected ads. Adware could be on your phone right now.

"With adware—which is in my opinion one of the boldest types of malware on the mobile front—we can see that the actors are basically following the money," says Aviran Hazum, analysis and response team leader at security firm Check Point. "A lot of victims will pay a ransomware ransom, or attackers can gain access to a bank account, but the probability of that is relatively low compared to the amount of money they can generate by displaying ads. More audience, more adware, more revenue."

Strains of adware regularly infect tens of millions or even hundreds of millions of devices at a time. Even though adware detections have declined year over year, security firm Malwarebytes still ranked it as the most prevalent type of consumer malware in 2018. Check Point published findings on one example last week, dubbed Agent Smith, which infected more than 25 million Android devices around the world. Fifteen million of those are in India, but Check Point also found more than 300,000 infections in the US.

Check Point sees signs that attackers started developing Agent Smith adware in 2016 and have been refining it ever since. Distributed largely through the third-party Android app store 9Apps, the adware was originally a more clunky, obvious type of malware that masqueraded as legitimate apps but asked for a suspicious number of device permissions to run and displayed a lot of intrusive ads.

LEARN MORE The WIRED Guide to Data Breaches

In spring 2018, though, Agent Smith evolved. Attackers added other malware components so that once the adware was installed, it would search through the device's third-party apps and replace as many as possible with malicious decoys. The initial malware would be in apps like shoddy games, photo services, or sex-related apps. But once installed, it would masquerade as a Google update utility—like a fake app called Google Updater—or apps that pretended to sell Google products, to have a better chance of hiding in plain sight.

Agent Smith also infiltrated the Google Play Store during 2018, hidden in 11 apps that contained a software development kit related to the campaign. Some of these apps had about 10 million downloads in total, but the Agent Smith functionality was dormant and may have represented a planned next step for the actors. Google has removed these tainted apps.

Check Point's Hazum points out that the actors behind Agent Smith also overhauled its infrastructure in 2018 and moved its command and control framework to Amazon Web Services. This way, the attackers could expand features like logging and more easily monitor analytics like download stats. Campaigns like adware and cryptojacker distribution can often function on legitimate infrastructure platforms like AWS, because it's difficult to distinguish their malicious activity from legitimate operations. In other recent adware campaigns, researchers have found innovations like malware that takes advantage of smartphone display and accessibility settings to overlay invisible ads that give them credit with ad networks without users even seeing anything.