Newfound GhostCtrl Android Malware Can Control Your Device

Android malware has another new player in the form of GhostCtrl, a silent malware that can surreptitiously record video and audio from a user's device, and even seize control of the device for certain functions, all without the user even knowing it's there. Linked to the RETADUP worm that recently attacked hospitals in Israel, GhostCtrl looks to be a variant of the commercially available OmniRAT malware and comes in three distinct versions. One variant steals information and makes use of a few minimal device functions, while the second one is more focused on device control. The third model combines the two, and researchers expect the malware to become more sophisticated as it spreads.

OmniRAT came out back in 2015 and was sold as a service to anybody willing to pay to use it. Once somebody had paid up or cracked the program, they were free to modify the base code as they wished, or build an entirely new project around OmniRAT, and that's exactly what has been done here as GhostCtrl's code even references OmniRAT. Once a user has downloaded something with GhostCtrl packed inside, install prompt after install prompt will keep popping up until the user either completely resets their device, erasing the offending app in the process, or gives in to the request. From there, the user interacts with a front app while the real work happens in the background; GhostCtrl connects to a home server that feeds it instructions on a per-infestation basis, and once it's in, it can do things like change the device's wallpaper, run a script in the background and return its results to the attacker, and download files. GhostCtrl can steal almost any information from the device, and even intercept, transmit, and delete SMS messages without the user knowing that they ever came. Researchers noted that an instance of GhostCtrl that infects a device tends to pull new abilities from the control server, growing in capability and scope over time. If it manages to gain root privileges on a device, it's quite possible that nothing short of a fresh flash of the phone's firmware via a flashing tool like LGNPST or Samsung ODIN will save the device. The nastiest version of the malware is even able to hide some of its activity from monitoring channels accessible to most users. Naturally, this means that the potential for the infestation to become ransomware in the vein of Petya is very real.

Like many other malware variants that require installation, GhostCtrl likes to pose as popular or ubiquitous app archetypes and particular apps, and one of its more prominent forms is a Pokemon GO clone. There have thus far been no reports of infestations springing from a Play Store app but it's no secret that the Play Store is not entirely safe, so the best practice is to be careful about apps you download by checking their permissions and metrics. Nonetheless, installing Android apps from outside of the Play Store is always a risky proposition.

Copyright ©2019 Android Headlines. All Rights Reserved
This post may contain affiliate links. See our privacy policy for more information.
You May Like These
More Like This:
About the Author

Daniel Fuller

Senior Staff Writer
Daniel has been writing for Android Headlines since 2015, and is one of the site's Senior Staff Writers. He's been living the Android life since 2010, and has been interested in technology of all sorts since childhood. His personal, educational and professional backgrounds in computer science, gaming, literature, and music leave him uniquely equipped to handle a wide range of news topics for the site. These include the likes of machine learning, voice assistants, AI technology development, and hot gaming news in the Android world. Contact him at [email protected]
Android Headlines We Are Hiring Apply Now