Many companies use malicious software to broadcast unauthorized advertising. Check Point experts have identified an illegal program called Agent Smith, which has affected more than 25 million Android devices. On an infected device, unauthorized replacement of legal applications with clone applications that distributed unauthorized ads was carried out. Specialists were able to track the developer of Agent Smith, a Chinese high-tech company specializing in promoting applications from Chinese developers. It was also determined that the start of the distribution of illegal software dates back to 2018. The first “Agent Smith” hit the Internet through the 9Apps app store, associated with UC Browser mobile browser developers. The majority of infected devices belong to users from Asia: 15.2 million devices were damaged in India, 2.5 million in Bangladesh and 1.7 million in Pakistan. About 300 thousand of them were found in the USA. Smartphones with outdated Android versions are infected – 5 and 6, for which the current OS updates have not been released for a long time. Infected Agent Smith applications began to appear in the Google Play store. Experts have identified 11 such applications that, after reporting to Google’s security service, were quickly removed from Google Play. In an infected application, the malicious component disguised itself as an SDK, the role of which was to download and install a whole package of applications containing Agent Smith. After installation, the malware checked for installed applications, compared their list with the target list and changed them to clone programs that distribute unauthorized advertising. The list included 16 applications, including WhatsApp, Lenovo AnyShare, Opera Mini, Flipkart and TrueCaller. Such application replacement is a rather complicated technical process, which used the Janus vulnerability (CVE-2017-13156) in Android, which allowed adding content to the APK, bypassing protection using a digital signature. At the same time, after installing the clone program, Agent Smith blocked updates to prevent the removal of malicious code.