GhostCtrl creates a backdoor into Android devies allowing attackers to do virtually anything.
A new form of malware has proved to be one of the most advanced Android information-stealers ever discovered, enabling attackers to open a backdoor in order to monitor data, steal information, record audio and video, and even infect the phone with ransomware.
Dubbed GhostCtrl, the malware can stealthily control many of the infected device’s functions — and researchers have warned that that this is just the beginning, and the malware could evolve to become a lot worse.
This new malware appears to be based on OmniRAT, a form of spying software capable of giving hackers full remote control of devices running Windows, Mac, Linux, and Android — although, unlike its apparent predecessor, GhostCtrl focuses purely on Android.
Mobile devices have become an increasingly valuable target for cybercriminals and those conducting espionage, not only because they can provide information about virtually every aspect of a target’s lives, but because the device will almost always be with them.
Discovered by researchers at Trend Micro, GhostCtrl forms part of a wider campaign targeting Israeli hospitals with the information-stealing Windows RETADUP worm — but the mobile arm of the attack represents an even more dangerous threat to victims.
Those include monitoring the phone’s data in real time, and the ability to steal the device’s data, including call logs, text message records, contacts, phone numbers, location, and browser history. GhostlCtrl can also gather information about the victim’s Android version, wi-fi, battery level, and almost any other activity.
The most worrying aspect of the malware isn’t just its ability to intercept messages from contacts specfied by the attacker, as GhostCtrl can also stealthily record audio and video, enabling the attackers to conduct full-on espionage on victims.
Users become infected with the malware by downloading fake versions of legitimate popular apps, including WhatsApp and Pokemon Go.When launched, GhostCtrl installs a malicious Android application package (APK) in order to take over the device.
This APK contains backdoor functions named ‘com.android.engine’ designed to trick the user into thinking it’s a legitimate application, when what it’s really doing is connecting to a command and control server to receive instructions on what information to steal.
GhostCtrl has the capability to become ransomware, with the ability to lock devices. However, this capability has yet to be seen in the wild and given the malware’s emphasis on stealth, it’s unlikely the attackers will deploy it any time soon, unless they massively change their tactics.
The very nature of this malware means it’s difficult to protect against — although taking care to only install legitimate applications from legitimate sources would be a good way of avoiding downloading it in the first place.
Trend Micro researchers also recommend that Android devices should be kept as updated as possible and that enterprises should restrict permissions on company devices to prevent the installation of malware.