What is GhostCtrl? Android malware 'possesses' devices to spy, steal and do its bidding

GhostCtrl is a variant of the commercially available OmniRAT malware that can target Android, Mac, Windows and Linux systems.

GhostCtrl also functions as a backdoor and has been designed to allow hackers to go after specific targets and contentiStock

Hackers have begun deploying Android malware to steal from and spy on victims. The newest kid on the Android malware block is GhostCtrl. The malware comes with a massive range of capabilities and can even be converted into a mobile ransomware. Security experts say that the malware is a variant of the OmniRATmalware that can target Android, Mac, Windows and Linux systems, and is commercially available.

GhostCtrl appears to be a truly potent malware and comprehensively "possesses" devices to spy on victims and steal extensive data, including call logs, SMS records, contacts, phone numbers, SIM serial number, location, and browser bookmarks. Unlike other Android malware variants, GhostCtrl goes much further in harvesting victims' data, pilfering information such as "Android OS version, username, Wi-Fi, battery, Bluetooth, and audio states, UiMode, sensor, data from camera, browser, and searches, service processes, activity information, and wallpaper."

GhostCtrl has backdoor features and is very flexible

Advertisement

According to Trend Micro researchers, GhostCtrl also functions as a backdoor and has been designed to allow hackers to go after specific targets and content. The malware's backdoor connects to a domain rather than directly to a C&C server, which helps in evading detection. This feature makes the malware highly flexible. "This is the command that allows attackers to manipulate the device's functionalities without the owner's consent or knowledge," researchers said.

"It can also intercept text messages from phone numbers specified by the attacker. Its most daunting capability is how it can surreptitiously record voice or audio, then upload it to the C&C server at a certain time. All the stolen content will be encrypted before they're uploaded to the C&C server," Trend Micro researchers said.

What can GhostCtrl do?

GhostCtrl is capable comprehensively infiltrating a device and manipulating it to "do its bidding," researchers say.

Three versions of GhostCtrl

Trend Micro researchers say that the malware has three versions. The first one has been designed to allow it to gain admin privileges, while the second version can transform it into a mobile ransomware. This version would allow hackers to lock the device's screen, alter the device's password and also root it. "It can also hijack the camera, create a scheduled task of taking pictures or recording video, then surreptitiously upload them to the C&C server as mp4 files," Trend Micro researchers said. The third version of GhostCtrl comes with security evasion features.

"GhostCtrl's combination with an information-stealing worm, while potent, is also telling," researchers said. "The attackers tried to cover their bases, and made sure that they didn't just infect endpoints. And with the ubiquity of mobile devices among corporate and everyday end users, GhostCtrl's capabilities can indeed deliver the scares."

Advertisement

How to stay safe?

Trend Micro researchers recommend that users "keep their devices updated." Organisations are encouraged to restrict permissions for employees for "BYOD devices" (which refers to the practise of allowing employees to bring their own devices to work and connect them to the firm's networks and systems), "to prevent unauthorized access and installation of dubious apps."

Researchers also encouraged users to install firewall and intrusion detection software, use encryption and regularly back up data.

© Copyright 2017 IBTimes Co., Ltd. All Rights Reserved.