The malware is focused on displaying ads, promoting webpages and apps, and this is how its creators turn a profit.
In fact, Cheetah Mobile researchers say that the number of apps promoted by recent variants of this malware rivals that of apps offered by some third-party app stores.
These particular variants, that come disguised as an SMS manager app and an app by the name of Alarm Controller, promote over 30,000 different apps – both malicious and legitimate (but still unwanted).
According the researchers, the number of users infected with Ghost Push is small but stable. That’s because the Trojan is able to root victims’ devices by exploiting ELF file vulnerabilities, but is also capable of preventing other apps – such as scanning and AV removal apps – from gaining root privilege.
The malware is notoriously difficult to uninstall, as it can’t be deleted with a factory reset of the device. Flashing the devices’ ROM is the right solution, but users that are not tech savvy will find the process daunting.
Cheetah Mobile offers an app (Stubborn Trojan Killer) that purportedly removes rooting Trojans from Android devices, but according to reviews left by users, it might not work for some.
A definite solution for this infestation is to update to Android 6.0 (Marshmallow) or 7.0 (Nougat), as Ghost Push is unable to root those versions of the OS.
According to Google, the latter version used by a minuscule percentage of users (less than 0.1%), and Marshmallow is present on 18.7% of all Android devices. Almost all other Android users and their devices are vulnerable.
Those users that have not been yet affected by Ghost Push are advised to avoid clicking unknown third-party links and only download applications from reputable app stores – the malware is spread mainly through pornographic websites, deceptive ads and third-party webpages.