It appears that making malware for Android Smartphones are starting to become a trend. Researchers at Trend Micro have spotted a new malicious software going by the name of GhostCtrl. According to the analysis, GhostCtrl is capable of obtaining full control of a smartphone phone device, allowing the hackers to steal any data on the device remotely.
The data GhostCtrl steals is extensive, compared to other Android info-stealers. Besides the aforementioned information types, GhostCtrl can also pilfer information like Android OS version, username, Wi-Fi, battery, Bluetooth, and audio states, UiMode, sensor, data from camera, browser, and searches, service processes, activity information, and wallpaper.
GhostCtrl appears to be based on a multi platform hacking tool named OmniRat. The tool has the capability to remotely control operating systems like Linux, macOS, Windows, and Android. Analysis of the code shows signs of GhostCtrl being an OmniRat variant. Trend Micro named the malware “GhostCtrl” due to its covert and controlling nature. The detection filename for GhostCtrl is ANDROIDOS_GHOSTCTRL.OPS or ANDROIDOS_GHOSTCTRL.OPS.
There are three versions of GhostCtrl with each iteration more sophisticated than the former. The first one steals information and has limited control over the device’s functionality. The second one adds more capabilities to hijack device processes. Lastly the third implements the features of the first two versions with additional capabilities. The third version also applies Obsification techniques to make the malware harder to detect. In its final form, the operations GhostCtrl can perform, and the information it can steal is practically limitless.
List of actions GhostCtrl can execute. Source:Trend Micro
- ACTION CODE =10, 11: Control the Wi-Fi state
- ACTION CODE= 34: Monitor the phone sensors’ data in real time
- ACTION CODE= 37: Set phone’s UiMode, like night mode/car mode
- ACTION CODE= 41: Control the vibrate function, including the pattern and when it will vibrate
- ACTION CODE= 46: Download pictures as wallpaper
- ACTION CODE= 48: List the file information in the current directory and upload it to the C&C server
- ACTION CODE= 49: Delete a file in the indicated directory
- ACTION CODE= 50: Rename a file in the indicated directory
- ACTION CODE= 51: Upload a desired file to the C&C server
- ACTION CODE= 52: Create an indicated directory
- ACTION CODE= 60: Use the text to speech feature (translate text to voice/audio)
- ACTION CODE= 62: Send SMS/MMS to a number specified by the attacker; the content can also be customized
- ACTION CODE= 68: Delete browser history
- ACTION CODE= 70: Delete SMS
- ACTION CODE= 74: Download file
- ACTION CODE= 75: Call a phone number indicated by the attacker
- ACTION CODE= 77: Open activity view-related apps; the Uniform Resource Identifier (URI) can also be specified by the attacker (open browser, map, dial view, etc.)
- ACTION CODE= 78: Control the system infrared transmitter
- ACTION CODE= 79: Run a shell command specified by the attacker and upload the output result
The malware spreads through APK packages impersonating legitimate apps by using names like MMS, whatsapp, Pokemon Go, among other notorious apps. Notice that the spelling of the apps names, particularly in the capitalization and spacing, are different than the legitimate apps GhostCtrl attempts to imitate. Upon launch, the app will decode a .arsc which is the malicious APK. A wrapper APK will then show a prompt asking for installation of the GhostCrtl APK. Once launched, the wrapper will make the actual APK run in the background. The main APK has backdoor functionality that goes by the process name com.android.engine. This allows it to connect to a C&C server and receive commands remotely.
Compared to other Android info-stealers, the data GhostCtrl steals is extensive. Analysts at Trend Micro gives a number of suggestions to reduce the damaged caused by GhostCrtl. One of these is to make sure your device has the latest updates and to regularly back up your files. Also, be sure to check the reputation of an app to make sure it is not a malware in disguise. Be sure to enable encryption on your device and keep app privileges to the minimum. For more detailed information read Trend Micro’s detailed analysis of GhostCtrl.