Thursday, December 5, 2024
HomeMalwareRecord Audio and Video Silently with Obfuscated Android Backdoor – GhostCtrl

Record Audio and Video Silently with Obfuscated Android Backdoor – GhostCtrl

Published on

SIEM as a Service

New Android malware variant GhostCtrl steals data, control devices functionalities and even hijack the devices. It is certainly a variant of commercially sold OmniRAT that produced headlines in November 2015.

Malware uses legitimate and popular apps like MMS, WhatsApp and Pokemon GO. Trend Micro detected it as ANDROIDOS_GHOSTCTRL.OPS / ANDROIDOS_GHOSTCTRL.OPSA, and then they named backdoor as GhostCtrl.

It is highly persistent and it even blocks “ask for install page” prompt, once installed wrapper APK launch the service to run the main APK in Background.

- Advertisement - SIEM as a Service

Malicious APK would resemble like a legitimate application and then it connects to C&C server to get commands.

Also read Android Trojan Called “SpyDealer” Spying on More Than 40 Apps Including Facebook, WhatsApp, Skype, Telegram

C&C Communication

Commands from C&C server are encrypted and then they are decrypted locally by the APK. Security researchers from Trend Micro observed all the DNS servers resolves to the same C&C Server IP address.

hef–klife[.]ddns[.]net
f–klife[.]ddns[.]net
php[.]no-ip[.]biz
ayalove[.]no-ip[.]bi

These are the commands used by attackers to manipulate the device functionalities with without users knowledge.

Control the Wi-Fi state
Monitor the phone sensors’ data in real time
Set phone’s UiMode, like night mode/car mode
Control the vibrate function, including the pattern and when it will vibrate
Download pictures as wallpaper
List the file information in the current directory and upload it to the C&C server
Delete a file in the indicated directory
Rename a file in the indicated directory
Upload a desired file to the C&C server
Create an indicated directory
Use the text to speech feature (translate text to voice/audio)
Send SMS/MMS to a number specified by the attacker; the content can
also, be customized
Delete browser history
Delete SMS
Download file
Call a phone number indicated by the attacker
Open activity view-related apps; the Uniform Resource Identifier (URI)
can also be specified by the attacker (open browser, map, dial view, etc.)
Control the system infrared transmitter
Run a shell command specified by the attacker and upload the output result

GhostCtrl steals extensive rate of information when compared to any another
Android information stealers.It can fetch pieces of information like
Android OS version, username, Wi-Fi, battery, Bluetooth, and audio states, UiMode, sensor, data from the camera, browser, and searches, service processes, activity information, and wallpaper.

It is also capable of intercepting text messages to record Audio or Video and upload into C&C server.

GhostCtrl’s Versions and functions

The first version enables the framework to gain admin level privilege and has no other codes, Malware continues to evolve with Version Second and third.

The second version is like a mobile ransomware it lock’s device reset password and gain root access. Then it uses to hijack cameras record voice & video and then upload to C&C servers.

The third version posses obfuscation techniques to hide its malicious routines, it drops the wrapper and then it extracts the main APK file Dalvik Executable (DEX) and an Executable and Linkable Format file (ELF).

Common Defences

  • To stay secure, use a reputable mobile security solution to detect and remove the threats.
  • Do download apps only from the official market.
  • Before downloading, check for the number of installs, ratings and, most importantly, the content of reviews.
  • Deploy Firewall, Intrusion and prevention systems and for Mobile also.
  • Regularly backup the data at regular intervals.
Gurubaran
Gurubaran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Latest articles

HCL DevOps Deploy / Launch Vulnerability Let Embed arbitrary HTML tags

Recently identified by security researchers, a new vulnerability in HCL DevOps Deploy and HCL...

CISA Warns of Zyxel Firewalls, CyberPanel, North Grid, & ProjectSend Flaws Exploited in Wild

The Cybersecurity and Infrastructure Security Agency (CISA) has issued warnings about several vulnerabilities being...

HackSynth : Autonomous Pentesting Framework For Simulating Cyberattacks

HackSynth is an autonomous penetration testing agent that leverages Large Language Models (LLMs) to...

Fuji Electric Indonesia Hit by Ransomware Attack

Fuji Electric Indonesia has fallen victim to a ransomware attack, impacting its operations and...

API Security Webinar

72 Hours to Audit-Ready API Security

APIs present a unique challenge in this landscape, as risk assessment and mitigation are often hindered by incomplete API inventories and insufficient documentation.

Join Vivek Gopalan, VP of Products at Indusface, in this insightful webinar as he unveils a practical framework for discovering, assessing, and addressing open API vulnerabilities within just 72 hours.

Discussion points

API Discovery: Techniques to identify and map your public APIs comprehensively.
Vulnerability Scanning: Best practices for API vulnerability analysis and penetration testing.
Clean Reporting: Steps to generate a clean, audit-ready vulnerability report within 72 hours.

More like this

Weaponized Word Documents Attacking Windows Users to Deliver NetSupport & BurnsRAT

The threat actors distributed malicious JS scripts disguised as legitimate business documents, primarily in...

ElizaRAT Exploits Google, Telegram, & Slack Services For C2 Communications

APT36, a Pakistani cyber-espionage group, has recently upgraded its arsenal with ElizaRAT, a sophisticated...

New CleverSoar Malware Attacking Windows Users Bypassing Security Mechanisms

CleverSoar, a new malware installer, targets Chinese and Vietnamese users to deploy advanced tools...