“The danger of apps Trojanized with Ghost Push malware is far from over – according to Trend Micro researchers, the number of variants of the hard-to-remove malware has soared in September.
Cheetah Mobile researchers, who warned the public about Ghost Push earlier this month, found 39 apps infected with it, all offered for download on third-party online app markets. The list included games, utility and media apps, and adult content apps: Amazon, XVideo Codec Pack, Super Mario – to name just a few.
Trend Micro has added to that list more apps.
Over half of all the devices currently infected are located in India and Indonesia, the rest are scattered throughout Asia, Russia, and the rest of the world:
The newer variants are also more difficult to spot and remove, as they employ new routines such as encrypting their APK and shell code, renaming the APK files, adding guard code to monitor their own processes, etc.
As before, Ghost Push malware roots the infected phone and downloads unwanted apps which show annoying ads, so that the cyber crooks behind this scheme can earn money,
“It is likely that a team of cybercriminals are behind Ghost Push and they are not exactly new to the malware creation industry,” the researchers shared. “This group has already published a total of 658 different malicious applications (1,259 different versions) in third party app stores unrelated to Ghost Push. One of these apps have infected more than 100,000 devices; two, more than 10,000; and seven, more than 1,000. We also found two legitimate apps unrelated to Ghost Push that the same creators published on Google Play, which have since been removed.”
Users are advised to be careful what they are downloading, both from third party stores and Google Play. Mobile security software can help catch malicious apps before they get installed, but if you have already fallen for this particular scheme, you can try to remove the malware manually or by using this app from Cheetah Mobile (but the phone has to be rooted first).”