In late June, the Trend Micro security researchers were able to find an information stealing malware named RETADUP. As per further research, it was found that RETADUP was accompanied by an even more dangerous malware that targets Android devices.
This Android malware has been named GhostCtrl as it can take control over your Android smartphone. This malware is based on the popular RAT (Remote Access Trojan) OmniRAT, which has the power to remotely control machines running Windows, Linux, and macOS.
Like many other Android malware, GhostCtrl also hides behind the curtains and masquerades as popular apps like WhatsApp, MMS, Pokemon Go, etc. The main APK of the malware has backdoor functions, which are named com.android.engine to mislead the users.
After connecting to Control & Command (C&C) server, it gets encrypted instructions that are locally decrypted. To hide its traffic, the malware connects to a domain instead of directly talking to C&C server’s IP address.
Some of the notorious actions performed with the action codes included in the commands are:
- Controlling WiFi
- Delete/rename a file
- Upload a file to C&C server
- Monitor phone’s sensor data
- Delete browser history, SMS
- Send SMS/MMS to any number
- Make a call to any number
- Run a shell command and upload the result
That’s not all. GhostCtrl Android Malware can also record voice or audio from the phone and upload it to the C&C server. The stolen data is encrypted before performing the upload.
It should be noted that there are three different versions of GhostCtrl in the wild. The second version is a more advanced version with function codes for messing up things at the admin level.
The second version of GhostCtrl Android Malware can also act as a mobile ransomware. It has the ability to lock device screen, reset password, and perform rooting. The third version has more advanced capabilities for hiding its malicious routines. It makes the GhostCtrl detection even more challenging.
To stay safe and mitigate threats like GhostCtrl Android malware, Trend Micro advises the users to keep their devices updated and apply the principle of least privileges. They are also advised to perform a regular back up and use techniques like encryption and firewall.
Source: Trend Micro