New Android malware variant GhostCtrl steals data, control devices functionalities and even hijack the devices. It is certainly a variant of commercially sold OmniRAT that produced headlines in November 2015.

Malware uses legitimate and popular apps like MMS, WhatsApp and Pokemon GO. Trend Micro detected it as ANDROIDOS_GHOSTCTRL.OPS / ANDROIDOS_GHOSTCTRL.OPSA, and then they named backdoor as GhostCtrl.

It is highly persistent and it even blocks “ask for install page” prompt, once installed wrapper APK launch the service to run the main APK in Background.

Malicious APK would resemble like a legitimate application and then it connects to C&C server to get commands.

Also read Android Trojan Called “SpyDealer” Spying on More Than 40 Apps Including Facebook, WhatsApp, Skype, Telegram

C&C Communication

Commands from C&C server are encrypted and then they are decrypted locally by the APK. Security researchers from Trend Micro observed all the DNS servers resolves to the same C&C Server IP address.

hef–klife[.]ddns[.]net
f–klife[.]ddns[.]net
php[.]no-ip[.]biz
ayalove[.]no-ip[.]bi

These are the commands used by attackers to manipulate the device functionalities with without users knowledge.

Control the Wi-Fi state
Monitor the phone sensors’ data in real time
Set phone’s UiMode, like night mode/car mode
Control the vibrate function, including the pattern and when it will vibrate
Download pictures as wallpaper
List the file information in the current directory and upload it to the C&C server
Delete a file in the indicated directory
Rename a file in the indicated directory
Upload a desired file to the C&C server
Create an indicated directory
Use the text to speech feature (translate text to voice/audio)
Send SMS/MMS to a number specified by the attacker; the content can
also, be customized
Delete browser history
Delete SMS
Download file
Call a phone number indicated by the attacker
Open activity view-related apps; the Uniform Resource Identifier (URI)
can also be specified by the attacker (open browser, map, dial view, etc.)
Control the system infrared transmitter
Run a shell command specified by the attacker and upload the output result

GhostCtrl steals extensive rate of information when compared to any another
Android information stealers.It can fetch pieces of information like
Android OS version, username, Wi-Fi, battery, Bluetooth, and audio states, UiMode, sensor, data from the camera, browser, and searches, service processes, activity information, and wallpaper.

It is also capable of intercepting text messages to record Audio or Video and upload into C&C server.

GhostCtrl’s Versions and functions

The first version enables the framework to gain admin level privilege and has no other codes, Malware continues to evolve with Version Second and third.

The second version is like a mobile ransomware it lock’s device reset password and gain root access. Then it uses to hijack cameras record voice & video and then upload to C&C servers.

The third version posses obfuscation techniques to hide its malicious routines, it drops the wrapper and then it extracts the main APK file Dalvik Executable (DEX) and an Executable and Linkable Format file (ELF).

Common Defences

• To stay secure, use a reputable mobile security solution to detect and remove the threats.
• Do download apps only from the official market.
• Before downloading, check for the number of installs, ratings and, most importantly, the content of reviews.
• Deploy Firewall, Intrusion and prevention systems and for Mobile also.
• Regularly backup the data at regular intervals.