A recently discovered piece of Android malware called GhostCtrl apparently evolved from the well-known OmniRAT tool for desktop platforms and has the ability to steal or delete a wide variety of user and device data.
GhostCtrl has an interesting pedigree and history. The backdoor is connected to a data-stealing worm known as Retadup that was detected infecting several hospitals in Israel last month. GhostCtrl also appears to be based on the code of OmniRAT, a commercially available remote administration tool that works on Windows, Linux, and OS X, and has an Android component, as well. There a number of cracked versions of OmniRAT circulating, and researchers at Trend Micro said there’s a reference to OmniRAT in the GhostCtrl code. Like many malicious apps, this backdoor pretends to be a legitimate Android app and once installed it gets to work taking over the target device.
“The malware masquerades as a legitimate or popular app that uses the names App, MMS, whatsapp, and even Pokemon GO. When the app is launched, it base64-decodes a string from the resource file and writes it down, which is actually the malicious Android Application Package (APK),” Lenart Bermejo, Jordan Pan, and Cedric Pernet of Trend Micro said in an analysis of GhostCtrl.
“The malicious APK, after dynamically clicked by a wrapper APK, will ask the user to install it. Avoiding it is very tricky: even if the user cancels the “ask for install page” prompt, the message will still pop up immediately. The malicious APK doesn’t have an icon. Once installed, a wrapper APK will launch a service that would let the main, malicious APK run in the background.”
The GhostCtrl malware communicates with its command and control server using an encrypted connection and it can execute a wide variety of commands. Among the actions the malware can take are controlling with WiFi state on the device, listing the files in the current directory, deleting arbitrary files, uploading files to the C2 server, sending arbitrary text messages to specified numbers, and deleting the browser history on the phone.
“Another unique C&C command is an integer-type command, which is responsible for stealing the device’s data. Different kinds of sensitive—and to cybercriminals, valuable—information will be collected and uploaded, including call logs, SMS records, contacts, phone numbers, SIM serial number, location, and browser bookmarks,” the researchers said.
“The data GhostCtrl steals is extensive, compared to other Android info-stealers. Besides the aforementioned information types, GhostCtrl can also pilfer information like Android OS version, username, Wi-Fi, battery, Bluetooth, and audio states, UiMode, sensor, data from camera, browser, and searches, service processes, activity information, and wallpaper.”
GhostCtrl also has the ability to record voice and other audio from the infected device and upload it to the C2 server, and there is a ransomware component to some version of the malware, as well.