Android malware
GhostCtrl also functions as a backdoor and has been designed to allow hackers to go after specific targets and content iStock

Hackers have begun deploying Android malware to steal from and spy on victims. The newest kid on the Android malware block is GhostCtrl. The malware comes with a massive range of capabilities and can even be converted into a mobile ransomware. Security experts say that the malware is a variant of the OmniRATmalware that can target Android, Mac, Windows and Linux systems, and is commercially available.

GhostCtrl appears to be a truly potent malware and comprehensively "possesses" devices to spy on victims and steal extensive data, including call logs, SMS records, contacts, phone numbers, SIM serial number, location, and browser bookmarks. Unlike other Android malware variants, GhostCtrl goes much further in harvesting victims' data, pilfering information such as "Android OS version, username, Wi-Fi, battery, Bluetooth, and audio states, UiMode, sensor, data from camera, browser, and searches, service processes, activity information, and wallpaper."

GhostCtrl has backdoor features and is very flexible

According to Trend Micro researchers, GhostCtrl also functions as a backdoor and has been designed to allow hackers to go after specific targets and content. The malware's backdoor connects to a domain rather than directly to a C&C server, which helps in evading detection. This feature makes the malware highly flexible. "This is the command that allows attackers to manipulate the device's functionalities without the owner's consent or knowledge," researchers said.

"It can also intercept text messages from phone numbers specified by the attacker. Its most daunting capability is how it can surreptitiously record voice or audio, then upload it to the C&C server at a certain time. All the stolen content will be encrypted before they're uploaded to the C&C server," Trend Micro researchers said.

What can GhostCtrl do?

GhostCtrl is capable comprehensively infiltrating a device and manipulating it to "do its bidding," researchers say.

  • Control the Wi-Fi state
  • Monitor the phone sensors' data in real time
  • Set phone's UiMode, like night mode/car mode
  • Control the vibrate function, including the pattern and when it will vibrate
  • Download pictures as wallpaper
  • List the file information in the current directory and upload it to the C&C server
  • Delete a file in the indicated directory
  • Rename a file in the indicated directory
  • Upload a desired file to the C&C server
  • Create an indicated directory
  • Use the text to speech feature (translate text to voice/audio)
  • Send SMS/MMS to a number specified by the attacker; the content can also be customized
  • Delete browser history
  • Delete SMS
  • Download file
  • Call a phone number indicated by the attacker
  • Open activity view-related apps; the Uniform Resource Identifier (URI) can also be specified by the attacker (open browser, map, dial view, etc.)
  • Control the system infrared transmitter
  • Run a shell command specified by the attacker and upload the output result
  • Clearing/resetting the password of an account specified by the attacker
  • Getting the phone to play different sound effects
  • Specify the content in the Clipboard
  • Customize the notification and shortcut link, including the style and content
  • Control the Bluetooth to search and connect to another device
  • Set the accessibility to TRUE and terminate an ongoing phone call

Three versions of GhostCtrl

Trend Micro researchers say that the malware has three versions. The first one has been designed to allow it to gain admin privileges, while the second version can transform it into a mobile ransomware. This version would allow hackers to lock the device's screen, alter the device's password and also root it. "It can also hijack the camera, create a scheduled task of taking pictures or recording video, then surreptitiously upload them to the C&C server as mp4 files," Trend Micro researchers said. The third version of GhostCtrl comes with security evasion features.

"GhostCtrl's combination with an information-stealing worm, while potent, is also telling," researchers said. "The attackers tried to cover their bases, and made sure that they didn't just infect endpoints. And with the ubiquity of mobile devices among corporate and everyday end users, GhostCtrl's capabilities can indeed deliver the scares."

How to stay safe?

Trend Micro researchers recommend that users "keep their devices updated." Organisations are encouraged to restrict permissions for employees for "BYOD devices" (which refers to the practise of allowing employees to bring their own devices to work and connect them to the firm's networks and systems), "to prevent unauthorized access and installation of dubious apps."

Researchers also encouraged users to install firewall and intrusion detection software, use encryption and regularly back up data.