GhostCtrl Android Malware Records Audio, Video and Spies on Users

Perhaps it is not so surprising to see powerful malware now being created to target Android devices. Researchers at Trend Micro recently discovered yet another malicious software that infects Android devices and ends up stealing pretty much anything for the attacker.


The new malware goes by the name of GhostCtrl (a variant of OmniRAT) as Trend Micro discovered it as ANDROIDOS_GHOSTCTRL.OPS / ANDROIDOS_GHOSTCTRL.OPSA. Up till now, the team has found out three versions of the malware with each version having certain capabilities.

The first version, as Trend Micro notes, is capable of gaining admin privileges and once the malware is in the system, it automatically starts to evolve so that more of the device can be hijacked.

The second version, on the other hand, has mobile hacking capabilities as it can lock mobile screens while resetting mobile passwords. Furthermore, the second version can virtually take control of the infected phone’s camera and secretly take photos along with videos and upload them to the command-and-control center.

The third version is for making the detection of the malware incredibly difficult since it is associated with a wrapper APK which is used to cover up the actual APK that undertakes all the malicious routines.

Resources.arsc file indicating it’s an OmniRAT variant (Image credit: Trend Micro)

How does it work?

Essentially, the malware come as fake apps masked with legitimate names such as PokemonGO, WhatsApp, etc. If the app is downloaded, it launches an APK which is the linchpin of the entire malware.

The APK will prompt the user to install the app and the user cannot undo the installation. That is, even if the user tries to cancel the installation, the APK will keep displaying the prompt.

After the APK is installed, the wrapper APK will start to run and allow the actual APK to run in the background.

One of the things that cause the user to think that the APK is legitimate is that once it is launched, it will start a process by the name of which causes the user to think that the app is running a real process.

Subsequently, GhostCtrl connects with its command-and-control center through a domain and receives all sorts of commands that allow the malware to do anything from stealing text messages to manipulating the phone’s camera, browser, Bluetooth, etc.

How to protect yourself?

Although the malware is quite powerful, the threat can be mitigated by keeping your device updated. Furthermore, Trend Micro recommends users and organizations to set their devices and systems to least privileges. 

Also, Android users are advised not to download unnecessary apps and use reliable anti-virus software.

Sponsored: DDoS attacks are increasing, calculate the cost and probability of a DDoS attack on your business with this DDoS Downtime Cost Calculator.

Related Posts