Android malware has another new player in the form of GhostCtrl, a silent malware that can surreptitiously record video and audio from a user’s device, and even seize control of the device for certain functions, all without the user even knowing it’s there. Linked to the RETADUP worm that recently attacked hospitals in Israel, GhostCtrl looks to be a variant of the commercially available OmniRAT malware and comes in three distinct versions. One variant steals information and makes use of a few minimal device functions, while the second one is more focused on device control. The third model combines the two, and researchers expect the malware to become more sophisticated as it spreads.
OmniRAT came out back in 2015 and was sold as a service to anybody willing to pay to use it. Once somebody had paid up or cracked the program, they were free to modify the base code as they wished, or build an entirely new project around OmniRAT, and that’s exactly what has been done here as GhostCtrl’s code even references OmniRAT. Once a user has downloaded something with GhostCtrl packed inside, install prompt after install prompt will keep popping up until the user either completely resets their device, erasing the offending app in the process, or gives in to the request. From there, the user interacts with a front app while the real work happens in the background; GhostCtrl connects to a home server that feeds it instructions on a per-infestation basis, and once it’s in, it can do things like change the device’s wallpaper, run a script in the background and return its results to the attacker, and download files. GhostCtrl can steal almost any information from the device, and even intercept, transmit, and delete SMS messages without the user knowing that they ever came. Researchers noted that an instance of GhostCtrl that infects a device tends to pull new abilities from the control server, growing in capability and scope over time. If it manages to gain root privileges on a device, it’s quite possible that nothing short of a fresh flash of the phone’s firmware via a flashing tool like LGNPST or Samsung ODIN will save the device. The nastiest version of the malware is even able to hide some of its activity from monitoring channels accessible to most users. Naturally, this means that the potential for the infestation to become ransomware in the vein of Petya is very real.
Like many other malware variants that require installation, GhostCtrl likes to pose as popular or ubiquitous app archetypes and particular apps, and one of its more prominent forms is a Pokemon GO clone. There have thus far been no reports of infestations springing from a Play Store app but it’s no secret that the Play Store is not entirely safe, so the best practice is to be careful about apps you download by checking their permissions and metrics. Nonetheless, installing Android apps from outside of the Play Store is always a risky proposition.
