GhostCtrl Android Malware is Downright Scary

Remember that time you let your tween borrow your phone and they “helped” you out by downloading WhatsApp for you? Well let’s hope what they downloaded was a legitimate copy of the app from a legitimate source or you may now be unwittingly sharing way more of your personal life with total strangers than you ever thought possible!

Dubbed GhostCtrl by the researchers at Trend Micro who first caught it in the wild, this nasty little malware beast, which typically masquerades as popular apps such as WhatsApp and Pokémon Go can give the hackers who unleashed it unprecedented control over a victim’s device.

A Rapidly Evolving Scary Ghost

GhostCtrl continues to evolve and there are at least 3 versions operating in the wild right now.  The first iteration steals information and controls some of the devices function, the second added the ability to hack more features and according to Trend Micro, “The third iteration combines the best of the earlier versions’ features—and then some.”

Based upon clues in its source code, GhostCtrl appears to be a scion of OmniRAT, the commercially sold Remote Access Tool that allows the takeover of Windows, Linux and Mac systems with the push of an Android button.

You Will Obey My Commands

Like some evil hypnotist, GhostCtrl can make the victim’s device do virtually anything the hacker wants it to do by sending commands from a remote control server.

Here is a partial but frightening list of those commands:

  • ACTION CODE =10, 11: Control the Wi-Fi state
  • ACTION CODE= 34: Monitor the phone sensors’ data in real time
  • ACTION CODE= 37: Set phone’s UiMode, like night mode/car mode
  • ACTION CODE= 41: Control the vibrate function, including the pattern and when it will vibrate
  • ACTION CODE= 46: Download pictures as wallpaper
  • ACTION CODE= 48: List the file information in the current directory and upload it to the C&C server
  • ACTION CODE= 49: Delete a file in the indicated directory
  • ACTION CODE= 50: Rename a file in the indicated directory
  • ACTION CODE= 51: Upload a desired file to the C&C server
  • ACTION CODE= 52: Create an indicated directory
  • ACTION CODE= 60: Use the text to speech feature (translate text to voice/audio)
  • ACTION CODE= 62: Send SMS/MMS to a number specified by the attacker; the content can also be customized
  • ACTION CODE= 68: Delete browser history
  • ACTION CODE= 70: Delete SMS
  • ACTION CODE= 74: Download file
  • ACTION CODE= 75: Call a phone number indicated by the attacker
  • ACTION CODE= 77: Open activity view-related apps; the Uniform Resource Identifier (URI) can also be specified by the attacker (open browser, map, dial view, etc.)
  • ACTION CODE= 78: Control the system infrared transmitter
  • ACTION CODE= 79: Run a shell command specified by the attacker and upload the output result

With this type of control the hackers can choose to be a nuisance, ransomer, evil spy or blackmailer depending upon their motives.

Scared? Who ya Gonna Call?

When it comes to mobile security, BYOD security and Network security our engineers are real life “ghost” busters who can develop comprehensive and holistic security solutions for your organization. So, who ya gonna call? Call Konsultek!


© Copyright 2018 Konsultek