Trend Micro, a Japanese multinational security software company has detected a malware capable of taking over Android devices. The company found that GhostCtrl, the stealthy malware “can control many of the infected device’s functionalities“. If you’ve been hit by GhostCtrl, hackers can silently record audio and video from the infected device.

RETADUP Worm: Part Of A More Lethal Malware

The malware was first reported by Trend Micro on July 17. The research team at the cyber security firm was conducting its investigation into an information theft worm (RETADUP worm). The worm had hit two Israeli hospitals during the last month. Appearing to be a standalone malware.

Android Backdoor
Source: Trend Micro

Termed as an online pest, the RAT (remote access tools) family of malware is called OmniRAT and forms the basis of this Android malware. “It can take control of Windows, Linux, and Mac systems at the touch of an Android device’s button—and vice versa,” wrote Trend Micro. Its license was being sold between $25 and $75 back when it was first detected.

Who’s Behind The Malware?

“DroidJack RAT”, sold for $210 as a parental tool was first created by an anonymous person.  However, we soon learned that the malware is much more than a ‘parental tool’. The most challenging aspect of dealing with this malware is that it’s packaged quite ‘stealthily’. “The main APK has backdoor functions usually named com.android.engine to mislead the user into thinking it’s a legitimate system application. The malicious APK will then connect to the C&C server to retrieve commands via the socket (an endpoint for communication between machines), new Socket(“hef–klife[.]ddns.net”, 3176),” observed researchers at Trend Mirco.

What’s Different About This Malware?

The desktop version of malware can infect thousands of users. The severity of GhostCtrl is a lot deadly because there are 2 billion monthly active devices on Android as of May 2017. Plus, hackers have released three versions of GhostCtrl within a short time span. Each new iteration is an enhanced and stealthier version of the previous one. It now contains several features like information stealing files, controlling devices to add device hijacking, and traffic obscuring workflow. The malware is only expected to evolve into a more sophisticated tool for infecting hundreds and thousands of devices.

Implications

From what the security company, as well as cyber security researchers in other firms, have found, following are just a few major consequences of someone getting hit by the GhostCtrl malware. 

  • Manipulation of the device’s functionalities without the owner’s consent or knowledge
  • Steal data and files from the phone and upload to a remote server
  • Make calls and send SMS/MMS to the desired number with customized content
  • Download further malicious and invasive files on the phone/device
  • Turn the malware into a mobile ransomware

The Way Forward

There’s no short-cut to making sure your device is hack-proof. I’ve been writing about best practices that you can adopt to mitigate these attacks.

  • The first line of defence is keeping your systems and devices updated and installing baseline antivirus software
  • Be careful in granting privileges to apps and devices, err on the side of caution
  • Old school but still relevant, back up your data.
  • Do not connect to every Tom, Dick and Harry’s open WiFi connection
  • Regularly review what services and apps have access to your phone’s data

Shargeel is an internet privacy expert and information technology enthusiast.

Leave a Reply