Artificial Intelligence: Detecting “Agent Smith” (Part 2)

By Yaelle Harel and Adeline Chan, Threat Prevention Marketing Managers, published November 25th, 2019

Agent Smith” is a malware campaign discovered by Check Point’s mobile threat researchers. The campaign infected approximately 30 million devices for financial gain. Disguised as a Google-related app, the core part of the malware exploits various known Android vulnerabilities and automatically replaces multiple installed apps on the device with malicious versions.

Check Point’s AI engines detected this malware before the campaign was first discovered, and before the command and control sites were known to be malicious. The core malware was detected by three of Check Point’s AI engines, each of them focused on a different type of indicator. As an example, one model reviewed the application code as an input and returned a verdict based on the code flow analysis. The engines that detected this malware work independently, which meant that even if some of the indicators do not appear in the variants of the malware, it will still be detected.

Thanks to Check Point’s AI engines, “Agent Smith” was detected before it caused damage by replacing the installed apps with malicious versions.

Responding to bot attacks

Responding to an attack quickly and accurately can remediate damage or even prevent it completely. Check Point uses AI for several stages of the response process – such as victim identification, alerts elimination, and attack classification.

In this example, a company that provides IT services to critical government institutes contacted Check Point after receiving tens of thousands of alerts regarding allegedly malicious activities reported by a non-Check Point solution. Check Point’s ThreatCloud AI sifted through log entries and provided an accurate list of 25 infected devices. These devices were then cleaned before the malware caused any damage.

The concept behind ThreatCloud AI is to create a machine that emulates the thought process and decision making of a cybersecurity researcher. However, while the security researcher could spend weeks just researching a single type of threat, the ThreatCloud AI machine is able to make a decision in seconds. ThreatCloud AI correlates suspicious and malicious events from multiple sources, thus recognizing an infection behavior and identifying the infected hosts. The system will then point the customer to the top events in their network that need immediate attention.


As cybercriminals develop more sophisticated and more dangerous methods of cyberattack, it has become impossible to rely only on human analysis and decision making. In order to continuously improve Check Point’s excellent detection and prevention rate, Check Point has developed dozens of artificial intelligence engines and incorporated them in critical decision points across Check Point’s family of products.

Many cybersecurity vendors claim to incorporate AI in their products but few have shown its effectiveness. In contrast, Check Point has demonstrated real world results in all four stages of the adaptive security architecture.

Check Point’s models are effective at preventing attacks thanks to the vast amount of real-world data of known threats, and domain experts who develop, train, and validate the models. Check Point domain experts are constantly defining suitable features and labeling data for each engine. They use a vast amount of data for training, testing and validating the models, and the data is enriched with Check Point’s unique intelligence. The solutions integrate several algorithm approaches on the same input.  The result of all of this, is the industry’s leading prevention rate for both known and unknown attacks.

Read the previous installment: Cybersecurity AI in Action (Part 1)

Learn more on how artificial intelligence helps achieve the best cyber threat prevention rates. Download the white paper.