Security engineers identified the GhostCtrl Android virus family that has the ability to spy on the users at all times. The malicious code contains a fully-featured surveillance module that can record and transmit audio, video, screenshots and other sensitive data from the victim machines.
GhostCtrl Android Virus – A Powerful Spying Tool
GhostCtrl Android Virus was recently discovered as part of a security investigation. The hackers behind the malware are still not known – it may be an individual person or a criminal collective. The detected attack have been investigated and the follow-up reports showcase the features of the GhostCtrl Android virus family.
The attack campaign is targeted at mobile users worldwide and there are several versions of the malware available. It is very likely that the virus has been in development for a long time and tested on different devices as the security reports indicate that it contains a lot of potent featured. Among them is the complete surveillance module.
GhostCtrl Android virus hacker operators can utilize the built-in functions to record audio from the built-in microphone and video using the cameras that can be transmitted to the hackers. It is possible to utilize the Android virus as a very powerful spying and surveillance tool.
GhostCtrl Android Virus Technical Overview
So far three distinct versions of the GhostCtrl Android Virus have been identified. All of them contain source code that originates from a multi platform malware called OmniRAT that is able to infiltrate and take over control of the infected hosts. Back in 2015 when it was launched in a global attack campaign it supported the most popular operating systems and devices: Microsoft Windows, Mac OS X, Android and Gnu/Linux distributions.
There are two possible scenario that speculate its origins:
- GhostCtrl is an overhauled version of OmniRAT. Back in 2015 when the malware was detected hackers from around the world used it to infect both mobile and desktop devices. It was available on the hacker underground markets as a subscription package for a low price which was one of the main factors of infections.
- It is possible that the hacker operators of GhostCtrl have incorporated source code of several Trojans and viruses. The detected OmniRAT code may be merely just one part of the code.
The GhostCtrl Android virus is described in the security reports as an iteration of the OmniRAT malware. Like its parent GhostCtrl is operated as a “service”, allowing the computer hackers to configure its settings at will. Once the infections have been made the surveillance module is immediately started.
There are three distinct versions of the GhostCtrl Android virus that feature different infection and behavior patterns.
The first version aims to immediately gain administrator privileges on the infected machines. A second version introduces a lockscreen instance that effectively prevents ordinary interaction with the infected devices until the malware is removed. It supports password resetting of all accounts, camera hijacking and setting up scheduling tasks. The hackers can also execute various data stealing using the built-in functions.
The third GhostCtrl Android virus version is able to hide itself from most anti-virus detection engines by obfuscating its code and incorporating fake copyright. During the initial infections it uses several layers of string commands and packages to evade detection.
GhostCtrl Android Virus Capabilities
Once the initial GhostCtrl Android virus infection has been made the built-in engine automatically launches a service process that runs in the background. This means that without any apparent user interaction the dangerous processes are working at all times. The application itself masks as a system process and that is reflected in the software name – depending on the strain it may be com.android.engine or something similar.
The next step that the engine performs is to contact the remote command and control (C&C) servers to report the infection to the hacker operators. Its interesting to note that the viruses connect to a domain rather than a direct IP address – this is an advanced tactic that is used to evade detection. The captured samples so far showcase connection attempts to four addresses:
- hef–klife[.]ddns[.]net
- f–klife[.]ddns[.]net
- php[.]no-ip[.]biz
- ayalove[.]no-ip[.]biz
The criminal operators are able to execute actions using Object DATA commands, this provides one of the most flexible ways of controlling the infected devices.
Other similar malware use scripts or shell commands that are controlled by sending out commmand queries. The use of action codes allows for a flexible input. Examples include the following:
- Wi-Fi State control
- User Interface mode changes
- Vibration function, pattern control and manipulation
- Downloading of files and multimedia from hacker-specified sources
- Files manipulation (modifying names, renaming data, deleting user and system files), as well as transfer to the hackers
- Sending of SMS/MMS messages to hacker-provided numbers
- Browser hijacking – stealing cookies, browsing history, form data, stored password and account credentials
- Manipulation of installed system and user settings
- Spying on the users activity in real time
The security researchers note that the GhostCtrl Android virus is one of the most extensive when it comes to spying capabilities. The engine is able to collect and transmit virtually all types of sensitive information. Even compared to other Android information stealers its potential is very expansive.
Not only is the virus engine capable of monitoring and stealing all of the stored data, it can monitor and intercept messages from different data sources: SMS, MMS, power states, various messenger accounts, social networks, sensor data, camera and etc. One of the most dangerous possible actions is the recording of audio and video from the infected device and transmitting it in real time to the hackers.
The GhostCtrl Android virus encrypts all data streams to the criminals which hinders detection using network traffic analysis if the administrators do not known the malicious domains and C&C server addresses.
July 24 Update – Upcoming GhostCtrl Ransomware Expected
It is possibble that future updates to the code may produce а GhostCtrl ransomware strain. Experts speculate that such advances viruses can be easily tweaked and further improved to produce the extortion tools. By incorporating ransomware tactics the criminal operators can easily make much more profit out of the victims.
Android ramsomware work in the same way as the computer versions – they target system and personal data, encrypt it using a strong cipher and modify essential settings. Most of the updated Android viruses employ lockscreen instances that prevent ordinary computer interaction until the virus is completely removed from the devices. They also prevent manual recovery attempts by analyzing the user and system commands in real time. A GhostCtrl ransomware for Android devices might become one of the top threats for this season or even the year.
GhostCtrl Android Virus Infection Methods
Android users can get infected with the GhostCtrl by falling victim to several of the spread tactics currently employed by the hacker operators:
- The criminals have set up fake listings on the Google Play Store and other repositories that pose as legitimate popular applications and games. The list includes Candy Crush Saga, Pokemonn GO, WhatsApp and others
- Other infection sources include fake download portals that are controlled by the hackers and allow APK installation files for “sideloading”. This is the practice of downloading and installing software (usually pirate copies) from Internet sites other than the Google Play Store.
- Malware, web redirects and other dangers can also lead to a successful GhostCtrl Android virus infection.
GhostCtrl Android Virus Infection Prevention
It is difficult to defend against GhostCtrl Android virus infections if the mobile users do not follow good security guidelines. Android users are warned that it is difficult to remove active infections as the virus engine is capable of injecting itself and masquerading as system processes. This is the reason why adequate measures must be taken to prevent malware installations.
One of the most important measures include regular updating of the system and user installed applications. When installing new software the users need to check the user comments and requested privileges, all unusual requests need to be ignored and disallowed. If working in a company environment corporate administrators can enforce additional protection – firewalls, blacklists and other measures.
Mobile anti-virus and anti-spyware solutions can be used to defend against possible infections.
Martin Beltov
Martin graduated with a degree in Publishing from Sofia University. As a cyber security enthusiast he enjoys writing about the latest threats and mechanisms of intrusion.
Follow Me: