Android Backdoor GhostCtrl can Silently Record Your Audio, Video, and More

By | July 17, 2017

by Lenart Bermejo, Jordan Pan, and Cedric Pernet

The information-stealing RETADUP worm that affected Israeli hospitals is unquestionably solely an factor of an assault that turned out to be greater than we first thought—at least when it entails impact. It was accompanied by an method extra dangerous threat: an Android malware that will take over the device.

Detected by Trend Micro as ANDROIDOS_GHOSTCTRL.OPS / ANDROIDOS_GHOSTCTRL.OPSA, we’ve named this Android backdoor GhostCtrl as a evolting disgusting of it would properly stealthily administration lots of the contaminated device’s functionalities.

There are three variations of GhostCtrl. The first stole knowledge and managed simply a few of the device’s functionalities with out obfuscation, whereas the second added extra gadget options to hijack. The third iteration combines the greater of the sooner versions’ features—and then some. Based on the strategies every employed, we’re in a place to solely anticipate it to extra evolve.

GhostCtrl is actually a ghost of itself
GhostCtrl will be actually a variant (or no decrease than primarily based on) of the commercially sold, multiplatform OmniRAT that made headlines in November 2015. It touts that it would properly remotely take administration of Windows, Linux, and Mac strategies on the contact of an Android device’s button—and vice versa. A lifetime license for an OmniRAT package deal prices between US $25 and $75. Predictably OmniRAT cracking tutorials abound in different underground forums, and a few its members even current patchers for it.

There’s actually a purple flag that reveals how the malicious APK is an OmniRAT spinoff. Given that it’s a RAT as a service, it will probably be modified (or removed) all by means of compilation.

Figure 1: Snapshot of GhostCtrl mannequin 3’s resources.arsc file indicating it’s an OmniRAT variant (highlighted)

GhostCtrl is hauntingly persistent
The malware masquerades as a professional or widespread app that makes use of the names App, MMS, whatsapp, and even Pokemon GO. When the app is launched, it base64-decodes a string from the useful resource file and writes it down, which is unquestionably the malicious Android Application Package (APK).

The malicious APK, after dynamically clicked by a wrapper APK, will ask the person to place in it. Avoiding it is terribly tricky: even when the person cancels the “ask for set up page” prompt, the message will nonetheless pop up immediately. The malicious APK doesn’t have an icon. Once installed, a wrapper APK will launch a service that will let the main, malicious APK run inside the background:

Figure 2: How the wrapper APK ends inside the precept APK

The predominant APK has backdoor capabilities usually named to mislead the person into pondering it’s a professional a system application. The malicious APK will then hook up with the C&C server to retrieve instructions by way of the socket (an endpoint for communication between machines), new Socket(“hef–klife[.]”, 3176).

GhostCtrl can possess the contaminated gadget to do its bidding
The instructions from the C&C server are encrypted and domestically decrypted by the APK upon receipt. Interestingly, we additionally found that the backdoor connects to a web web site pretty than immediately connecting to the C&C server’s IP address. This will be an try to obscure their traffic. We additionally found a quantity of Dynamic Name Servers (DNS), which inside the tip led to the identical C&C IP address:


A notable command accommodates movement code and Object DATA, which permits attackers to specify the goal and content, making this a terribly versatile malware for cybercriminals. This is the command that permits attackers to manipulate the device’s functionalities with out the owner’s consent or knowledge.

Here’s a itemizing of simply a few of the movement codes and what every does to the device:

ACTION CODE =10, 11: Control the Wi-Fi state
ACTION CODE= 34: Monitor the cellphone sensors’ knowledge in exact time
ACTION CODE= 37: Set phone’s UiMode, like night mode/car mode
ACTION CODE= 41: Control the vibrate function, collectively with the pattern and when it will vibrate
ACTION CODE= 46: Download footage as wallpaper
ACTION CODE= 48: List the file knowledge inside the current listing and add it to the C&C server
ACTION CODE= 49: Delete a file inside the indicated directory
ACTION CODE= 50: Rename a file inside the indicated directory
ACTION CODE= 51: Upload a desired file to the C&C server
ACTION CODE= 52: Create an indicated directory
ACTION CODE= 60: Use the textual content material to speech attribute (translate textual content material to voice/audio)
ACTION CODE= 62: Send SMS/MMS to a quantity specified by the attacker; the content material will even be customized
ACTION CODE= 68: Delete browser history
ACTION CODE= 74: Download file
ACTION CODE= 75: Call a cellphone quantity indicated by the attacker
ACTION CODE= 77: Open exercise view-related apps; the Uniform Resource Identifier (URI) will even be specified by the attacker (open browser, map, dial view, etc.)
ACTION CODE= 78: Control the system infrared transmitter
ACTION CODE= 79: Run a shell command specified by the attacker and add the output result

Another distinctive C&C command is an integer-type command, which is accountable for stealing the device’s data. Different types of sensitive—and to cybercriminals, valuable—information will probably be collected and uploaded, collectively with name logs, SMS records, contacts, cellphone numbers, SIM serial number, location, and browser bookmarks.

The knowledge GhostCtrl steals is extensive, in contrast with fully different Android info-stealers. Besides the aforementioned knowledge types, GhostCtrl can additionally pilfer knowledge like Android OS version, username, Wi-Fi, battery, Bluetooth, and audio states, UiMode, sensor, knowledge from camera, browser, and searches, service processes, exercise information, and wallpaper.

It can additionally intercept textual content material messages from cellphone numbers specified by the attacker. Its most daunting performance is the method by means of which it would properly surreptitiously report voice or audio, then add it to the C&C server at a sure time. All the stolen content material will probably be encrypted earlier than they’re uploaded to the C&C server.

Figure 3: Code snapshot exhibiting how some knowledge will probably be deleted after upload

Figure 4: Most of the associated function codes for stealing knowledge are inside the “transfer” package.

The fully different C&C instructions are self-defined, comparable to “account”, “audioManager”, and “clipboard”. These instructions will set off malicious routines. It’s worth noting that these aren’t generally seen in Android RATs:

Clearing/resetting the password of an account specified by the attacker
Getting the cellphone to play fully different sound effects
Specify the content material inside the Clipboard
Customize the notification and shortcut link, collectively with the mannequin and content
Control the Bluetooth to go trying out and hook up with a distinctive device
Set the accessibility to TRUE and terminate an ongoing cellphone call

How do GhostCtrl’s variations stack as a lot as every other?
GhostCtrl’s first mannequin has a framework that permits it to attain admin-level privilege. While it had no function codes on the time, the second mannequin did. The options to be hijacked additionally incrementally elevated as a evolting disgusting of the malware superior into its second and third iterations.

Figure 5: Framework of GhostCtrl’s first mannequin for gaining admin-level privilege

Figure 6: Comparison of backdoor function of the predominant (left) and second (right) versions

Figure 7: Code snapshot of GhostCtrl’s second mannequin making use of gadget admin privileges

GhostCtrl’s second mannequin will even be a mobile ransomware. It can lock the device’s monitor and reset its password, and in addition root the contaminated device. It can additionally hijack the camera, create a scheduled job of taking footage or recording video, then surreptitiously add them to the C&C server as mp4 files.

Figure 8: Code snapshot exhibiting GhostCtrl’s ransomware-like capability

Figure 9: Code snapshot exhibiting how GhostCtrl roots the contaminated device

The third mannequin of GhostCtrl incorporates obfuscation strategies to cowl its malicious routines, as proven below:

Figure 10: The assault chain of GhostCtrl’s third version

In GhostCtrl’s third version, the wrapper APK first drops a packed APK. The latter unpacks the precept APK, a Dalvik executable (DEX), and an Executable and Linkable Format file (ELF). The DEX and ELF recordsdata decrypt strings and Application Programming Interface (API) calls inside the precept malicious APK in runtime. This longwinded assault chain helps make detection extra challenging, exacerbated by the fact that the wrapper APK hides the packed APK as properly as to DEX and ELF recordsdata inside the belongings directory.

GhostCtrl’s combination with an information-stealing worm, whereas potent, will be telling. The attackers tried to cowl their bases, and made sure that they didn’t simply infect endpoints. And with the ubiquity of cell models amongst agency and on an everyday basis finish users, GhostCtrl’s capabilities can certainly ship the scares.

But greater than its impact, GhostCtrl underscores the significance of protection in depth. Multilayered safety mechanisms should be deployed so as that the risks to knowledge are greater managed. Some of the most interesting practices that knowledge safety professionals and IT/system directors can undertake to secure bring-your-own models (BYOD) include:

Keep the gadget updated; Android patching is fragmented and organizations might have custom-made requirements or configurations needed to maintain the gadget updated, so enterprises ought to steadiness productiveness and security
Apply the precept of least privilege—restrict person permissions for BYOD models to cease unauthorized entry and set up of doubtful apps
Implement an app reputation system that will detect and block malicious and suspicious apps
Deploy firewalls, intrusion detection, and prevention strategies at each the endpoint and cell gadget ranges to preempt the malware’s malicious community activities
Enforce and strengthen your cell gadget administration insurance coverage policies to extra scale again potential safety risks
Employ encryption, community segmentation and knowledge segregation to restrict extra publicity or damage to data
Regularly again up knowledge in case of gadget loss, theft, or malicious encryption


Trend Micro Solutions
End clients and enterprises can additionally revenue from multilayered cell safety options comparable to Trend Micro™ Mobile Security for Android™ which may even be obtainable on Google Play.

Trend Micro™ Mobile Security for Enterprise provides device, compliance and utility management, knowledge protection, and configuration provisioning, as properly as to protects models from assaults that leverage vulnerabilities, stopping unauthorized entry to apps, as properly as to detecting and blocking malware and fraudulent websites.

A guidelines of all of the hashes (SHA-256) detected as ANDROIDOS_GHOSTCTRL.OPS/ANDROIDOS_GHOSTCTRL.OPSA is on this appendix.

Android Backdoor GhostCtrl can Silently Record Your Audio, Video, and More

Please check this great service at: or visit FREE SERVICES menu

[Total: 0    Average: 0/5]

Leave a Reply

Your email address will not be published. Required fields are marked *