GhostCtrl Android malware is a backdoor that can control the functionalities of an infected Android device. It is a Remote Access Trojan (RAT) that can also steal and exfiltrate information. It can reset the pin of an Android device, lock the device and then demand a ransom to unlock the device.
GhostCtrl is based on the infamous OmniRAT that can remotely take control of multiple operating systems such as Windows, Linux, and Mac systems. GhostCtrl could be considered to be the deadliest version of the OmniRAT, yet. The OmniRAT first came to be noticed in November 2015 and was the only malware that could affect multiple operating systems. It’s creators or marketers, offered it as software as a service – and rather cheaply too. This enabled many cyber criminals to subscribe to this malware and use it for their malicious activities.
OmniRAT spyware provides full remote control of devices – from desktops to phones. The attack tricks a user to click on a link in an SMS message and the spyware gets loaded on to the device.
The Latest Attack
The latest version of this omnipotent malware – GhostCtrl – has been used to target Israeli healthcare organizations. The continuous campaign targeted Windows computers as well as Android devices of users connected to the healthcare organizations. Cyber security researchers who analyzed the attack discovered that the malware was a sophisticated combination of a worm, a remote access Trojan (RAT) that functioned as a backdoor, and a data stealer.
Capabilities of GhostCtrl Android Malware
The GhostCtrl malware used to target Android devices acquires numerous dangerous permissions. It has the ability to access and infect even the root of the device and can contact a command and control (C&C) server and send information from the device. It can list, rename, send, delete files from the C&C server. It can also download files from the C&C server onto the device, which could be even more dangerous payload.
The GhostCtrl malware can send SMS/MMS to specific numbers, intercept SMS from specific numbers, as well delete text messages.
The malware can control the state of the Wi-Fi overriding the controls set by the user, which allows it to connect to Wi-Fi at times of its choosing. GhostCtrl can record audio and send that info as a file. It can also call specific phone numbers, and send details in the contact list, phone numbers, message records, the OS version, SIM number, the user name, data stored on the clip board, photos, etc…,
It can download wallpapers and use that as the lock screen. GhostCtrl also has the capability to monitor the various sensors on the phone.
How to Ensure Android Security
The GhostCtrl Android malware is very dangerous and the general advice would be not to install apps from outside Google Play Store. Additionally, a robust Android antivirus solution that offers effective protection against zero-day exploits and next-generation malware threats is needed even for Android devices.