Google’s Android platform has in the past been victim to a host of malware, ransomware, and malicious attacks. In the recent past, reports related to malware named CopyCat, LeakerLocker, and SpyDealer were making the rounds of the Internet, and now we have been acquainted with a new attack vector, known as GhostCtrl. Cyber-security analysts at Trend Micro have revealed a backdoor worm that stealthily controls several functionalities of infected Android devices. If this doesn’t sound alarming enough, the researchers have further added that this vulnerability will continue to evolve while secretly recording audio or voice and send to the attacking server in an encrypted manner.
The researchers have demonstrated that the GhostCtrl Android malware has three variants wherein the first can pilfer device information and control some of its functionalities, the second can add more features to favour an imminent device hijack, and the third combines the best of the earlier two and adds more features. Notably, the GhostCtrl worm is an extension of the vulnerability that impacted Israeli hospitals earlier and the ill-famed OmniRAT platform that was in news way back in 2015 for claiming massive exploits and remote-controlling Windows, Linux, and Mac systems via any Android device and vice versa.
The GhostCtrl backdoor masquerades as a legitimate app such as WhatsApp, and the popular Pokemon Go. As soon as the app is launched, it progresses to install a malicious APK package under the hood. The malicious APK is actually concealed under a wrapper APK, which will ask the user to install it. After this is executed, the attackers will be able to retrieve all the data and take the control of the device by harnessing a range of commands without the user’s acknowledgement.
The Trend Micro report highlights some of the commands/ executable actions that allow the attackers to manipulate the device’s functionalities. Besides controlling basic functions on the devices, the GhostCtrl can also reset passwords, change and play different sounds on the device. “The data GhostCtrl steals is extensive, compared to other Android info-stealers. Besides the aforementioned information types, GhostCtrl can also pilfer information like Android OS version, username, Wi-Fi, battery, Bluetooth, and audio states, UiMode, sensor, data from camera, browser, and searches, service processes, activity information, and wallpaper,” reads the report.
In order to curb the GhostCtrl and other similar worms, Trend Micro has detailed a list of measures that the user should take to ensure data safety. A few of them include updating the device to the latest firmware, backing up the data at certain intervals, and restricting user permissions for apps. Users can also switch to multi-layered security mechanisms for better data management.