Researchers have found a highly versatile Android remote access trojan (RAT) that is able to hijack Android's device functionality, stealing information.
Dubbed the 'GhostCtrl', it opens malicious backdoor to devices that it hijacked. According to Trend Micro, it involves the Windows-based information-stealing worm RETADUPA, a combination of other worms, infostealer, and backdoor trojan.
The worm was first discovered in June 27th, 2017 after samples were detected and blocked in an attempt to infect two hospitals in Israel.
Trend Micro further reported that GhostCtrl gives attackers the flexibility and options to specify which malicious actions to perform and what content to steal. For example, the malware can be used to secretly upload and download files, intercept and send out SMS and MMS messages, run shell commands, call phone numbers, and even record voice.
Trend Micro warned the data that GhostCtrl can also steal an "extensive" range of information, including those related to call logs, SMS records, contacts, phone numbers, SIM serial numbers, usernames, locations, Android OS versions, Wi-Fi and Bluetooth, cameras, browsers, searches, service processes, activity information, and more.
The stolen data are then encrypted before being sent to the malicious server controlled by the attacker.
Here’s a list of some of the action codes and what each does to the device, according to Trend Micro:
According to Jon Clay, director of global threat communication at Trend Micro:
What makes GhostCtrl dangerous isn't just limited to those damages it can create. The payload, which according to Trend Micro, is a heavily customized version of OmniRAT - a multi-purpose RAT and one of the few RATs that can target four major operating systems: Android, Linux, macOS, and Windows.
The malware is more like an unusual RAT as it can also clear or reset specific account passwords, control Bluetooth to search and connect to other devices and disconnect active phone calls.
With those abilities, as well as its ability to lock device screens, allows some versions of GhostCtrl to potentially act as ransomware, forcing users to pay up in order to regain control of their devices.
There are three versions of GhostCtrl malware, each one offering an increasing number of functions capable of being hijacked, the report continues.
The first version introduced a framework to enable admin-level privilege.
The second introduced ransomware capabilities and allows attackers to root infected devices.
The third version incorporates obfuscation techniques to hide malicious deeds, and also uses both a wrapper and an intentionally complex infection sequence chain to make detection more difficult. Shown in the picture below, this longwinded attack chain makes detection more challenging, exacerbated by the fact that the wrapper APK hides the packed APK as well as DEX and ELF files in the assets directory.
Android users can infect themselves with GhostCtrl by downloading fraudulent versions of legit apps. Trend Micro said that malicious APK files that may have GhostCtrl in it have used popular names such as "App," "MMS," "whatsapp" and "Pokemon GO."
When users download the infected app, the malicious app will repeatedly send users pop-up requests for installation.
Overall, GhostCtrl is one of the most advanced Android RATs ever seen. With features that can pose huge damage to victims, it implies that the malware was developed by a threat actor with expertise in Android development.