Android backdoor GhostCtrl can do many unusual things

There is no shortage of Android malware, but it’s not often that one encounters an Android threat that can do as much as the GhostCtrl backdoor.

According to Trend Micro researchers, the threat cycled through three iterations and the latest is especially capable, as it can steal all kinds of information, is “hauntingly persistent,” and can take complete control of the device and make it do all kinds of things.


Snapshot of GhostCtrl version 3’s resources.arsc file indicating it’s an OmniRAT variant

GhostCtrl backdoor’s capabilities

The GhostCtrl backdoor is based on the multiplatform OmniRAT, sold on dark web marketplaces for anywhere between $25 and $75.

It’s C&C communication is encrypted, and the commands it receives contain action code and Object DATA, which, according to the researchers, “enables attackers to specify the target and content, making this a very flexible malware for cybercriminals.”

The malware can be instructed to do things like monitor the phone sensors’ data in real time, download pictures as wallpaper, upload a desired file to the C&C server, send a customized SMS/MMS to a number specified by the attacker, and download files, but also more unusual things like:

  • Control the system infrared transmitter
  • Surreptitiously record voice or audio
  • Use the text-to-speech feature (i.e. translate text to voice/audio)
  • Clear/reset the password of an account specified by the attacker
  • Make the phone play different sound effects
  • Terminate an ongoing phone call
  • Use the Bluetooth to search for and connect to another device.

It can steal a smorgasbord of valuable information: call logs, SMS records, contacts, phone numbers, SIM serial number, location, Android OS version, username, Wi-Fi, battery, Bluetooth, and audio states, UiMode, sensor, data from camera, browser, and searches, service processes, activity information, and wallpaper.

Hiding from victims

The malware usually masquerades as a legitimate popular app (e.g. WhatsApp, Pokémon GO, etc.).

“When the app is launched, it base64-decodes a string from the resource file and writes it down, which is actually the malicious Android Application Package (APK). The malicious APK, after dynamically clicked by a wrapper APK, will ask the user to install it. Avoiding it is very tricky: even if the user cancels the ‘ask for install page’ prompt, the message will still pop up immediately,” the researchers shared.

“Once installed, a wrapper APK will launch a service that would let the main, malicious APK run in the background.”

The malware hides from users by not having an icon, and the main APK has backdoor functions usually named to mislead the user into thinking it’s a legitimate a system application. The attack chain of the malware’s third (and most capable) version incorporates obfuscation techniques to hide its malicious routines.

The GhostCtrl backdoor is, according to the researchers, used in conjunction with the information-stealing RETADUP worm, which targets Windows machines.

“GhostCtrl’s combination with an information-stealing worm, while potent, is also telling. The attackers tried to cover their bases, and made sure that they didn’t just infect endpoints. And with the ubiquity of mobile devices among corporate and everyday end users, GhostCtrl’s capabilities can indeed deliver the scares,” the researchers concluded.

Don't miss