A new form of malware is one of the most advanced Android information stealers ever discovered, enabling attackers to open a backdoors in order to monitor data, steal information, record audio and video and even infect the phone with ransomware.
Dubbed GhostCtrl, the malware can stealthily control many of the infected devices functions – and the researchers warn that that this is just the beginning and it could evolve to become a lot worse.
This new malware appears to be based on OmniRAT, a form of spying software capable of giving hackers full remote control of devices including Windows, Mac, Linux and Android systems – although unlike its apparent predecessor, it focuses purely on Android.
Mobile devices have become an increasingly valuable target for cybercriminals and those conducting espionage, not only because they can provide information about virtually every aspect of a target’s lives, but because the device will almost always be with them.
Discovered by researchers at Trend Micro, GhostCtrl forms part of a wider campaign targeting Israeli hospitals with the information-stealing Windows RETADUP worm – but the mobile arm of the attack represents an even more dangerous threat to victims.
In total, there are three versions of GhostCtrl – one which steals information and controls some of the devices functions, while a second added more features to hijack. Now the malware is on its third version which combines the most advanced capabilities of previous incarnations while adding further malicious capabilities.
Those include monitoring the phone’s data in real time, the ability to steal the device’s data, including call logs, text message records, contacts, phone numbers, location and browser history. GhostlCtrl can also gather information about the victim’s Android version, Wi-Fi, battery level and almost any activity information.
The most worrying aspect of this isn’t just the ability to intercept messages from contacts specfied by the attacker, but GhostCtrl can also stealthily record audio and video, enabling the attackers to conduct full on espionage on infected victims.
Users become infected with the malware by downloading fake versions of legitimate popular apps, including WhatsApp and Pokemon Go. GhostCtrl goes about installing itself when launched, installing a malicious Android Application Package in order to take over the device.
This APK contains backdoor functions named ‘com.android.engine’ designed to trick the user into thinking its legitimate application when what it’s really doing is connecting to a command and control server to receive commands and instructions on what information to steal.
GhostCtrl contains the capability to become ransomware, with the ability to lock devices. However, this capability has yet to be seen in the wild and given the malware’s emphasis on stealth so it’s unlikely the attackers will deploy it any time soon, unless they massively change their intentions and tactics.
The very nature of this malware means it’s difficult to protect against – although taking care to only install legitimate applications from legitimate sources would be a good way of avoiding downloading it in the first place.
Trend Micro researchers also recommend that Android devices should be kept as updated as possible and that enterprises should restrict permissions on company devices to prevent the installation of malware.
READ MORE ON CYBERCRIME