New OmniRAT Variant 'GhostCtrl' Takes Full Control Over Targeted Android Devices
Cyber security company Trend Micro reports about a new malware threat targeting Android devices. The new backdoor is called GhostCtrl, and the researchers claim it is a variant of the more famous OmniRAT malware that was spotted for the first time around two years ago. Although OmniRAT had a broader reach, targeting many platforms like Linux, Windows, and even Mac, GhostCtrl also shows potential to cause severe damage on infected devices. According to Trend Micro's report, the new Android backdoor can steal all kinds of data from the victim, but not only that – it can also spy on users and receive commands from its operators, all suggesting it is a formidable threat to users' security.
So far, the researchers have identified three versions of the malware, each providing different levels of access to the target device. The first version allows the attackers to extract certain data and control some of the features of the device, while the second one adds some more features. Both are gaining admin level privileges, yet they operate without obfuscation. The third version is the most advanced of all as it includes obfuscation techniques to hide itself security tools. It also provides the malware operators with full access to the infected device, allowing to steal any locally stored data and to spy on the victims.
GhostCtrl is spread as stand-alone APKs with names like Pokemon Go, MMS, WhatsApp, and so on. The malware hides within a wrapper APK. Once the user has clicked on the malicious file, avoiding the installation becomes very tricky. The malware displays a pop-up message that asks the user to download it, however, when he tries to cancel the process, the message keeps appearing on the screen.
After the wrapper is installed, it launches a service which, in turn, lets GhostCtrl run in the background. Then, GhostCtrl connects to the hackers' Command-and-Control server through port 3176 and waits to receive commands. However, the researchers found out that the malware does not connect directly to the C&C server's IP address, but rather to a domain, probably in an attempt to obscure the hackers' traffic. Several Dynamic Name Servers (DNS) were also associated with the same C&C IP address. Victims will find it hard to recognize the malware as it has no icon while looking at the list of running processes also does not help much. The service that GhostCtrl uses runs a process named "com.android.engine," looking thus as a legitimate Android process that should not be killed.
The most advanced version of the Android backdoor can steal pretty much everything from the infected device, including phone numbers, SMS records, contacts, location, call logs, SIM serial number, browser bookmarks, etc. Moreover, GhostCtrl can also access the camera and record audio and video files that can, later on, be uploaded to the hackers' C&C server, meaning it can spy on users in all possible ways. All data transferred to the malware's operators are in an encrypted form. GhostCtrl can perform more specialized tasks as well upon commands sent to it by its operators: it can play different sound effects or reset the password for a configured account.
Leave a Reply
Please note that we are not able to assist with billing and support issues regarding SpyHunter or other products. If you're having issues with SpyHunter, please get in touch with SpyHunter customer support through your SpyHunter . If you have SpyHunter billing questions, we recommend you check the Billing FAQ. For general suggestions or feedback, contact us.