A new piece of malware that can infect devices running Google’s Android operating system has been discovered by TrendMicro. It can allow attackers to gain significant control over a victim’s device. This new malware has been dubbed GhostCntrl. It is a new threat that is related to a piece of malware which affected hospitals in Israel, which allowed attackers to exfiltrate data. That malware was a worm known as RETADUP. Currently there are three known versions of the GhostCntrl malware. The original version allowed an attacker to exfiltrate data and exercise some control over the functions of the infected device. In the second version the malware became more capable of exercising control over even more device functions.
Both the first and second versions did not include features to obfuscate the routines the malware performed. These versions were easier to detect. However, the third version of GhostCntrl did implement techniques to obfuscate its routines, making it harder to detect. The third version incorporates the better features of the first two versions. GhostCntrl was developed through modification to a multi-platform remote administration tool known as OmniRAT. This can be verified by examining the resources.arsc file, where it can be observed that it was developed from the OmniRAT backdoor tool. OmniRAT is commercially available and was made infamous in 2015 when it became well known that attackers were using the remote administration tool to infect devices running Android, Windows, and Linux with a backdoor. A lifetime license for OmniRAT costs less than one hundred US dollars, and a cracked version of the hacking tool has also been made available.
GhostCntrl disguises itself as a genuine app such as WhatsApp and Pokemon GO. When the app is opened it will ask the victim to finish the installation. A button asking to install the app will continue to pop up even if the user tries to click out of it. Once it is installed the malicious APK file is hidden and does not have an icon. The malware then gains persistence and will run in the background and startup even when the device is rebooted. In order to fool the victim that the malware is a genuine Android app the backdoor APK will operate under the title of com.android.engine. The malware will then contact a command and control server that is run by the attacker and waits for instructions. Data that is sent and received between the infected device and the attacker’s command and control server are done through an encrypted channel.
Some of the commands that can be executed on the victim’s device by the attacker include controlling the WiFi, observing the device’s sensors, controlling the UiMode, controlling the vibration function, and controlling the infrared sensor. The attacker can also download new wallpapers and the ability to change the wallpaper. Other functions possible with GhostCntrl include obtaining a list of all of the files on the device and their details such as file size and modification date, the ability to rename and delete files.
SMS texts and media texts can also be sent from the infected device by the attacker. Even phone calls can be placed from the victim’s device by the attacker. The attacker can also delete text messages as well as the history in web browsers on the infected device. It is also possible for the attacker to upload data to the infected device. Shell commands can also be executed by the attacker. Some features that are unique to the GhostCntrl backdoor and are rarely seen in other remote access tools are the abilities to reset and change account passwords, changing data that is stored in the clipboard, playing audio files on the infected device, terminating phone calls, and controlling the infected device’s Bluetooth chip.
While Android vulnerabilities are more well publicized, iOS also suffers from serious vulnerabilities as well. Google’s primary competitor, Apple with their iOS operating system, is also currently facing similar problems with its mobile devices. It was recently discovered that there was a serious vulnerability in devices including iPhone versions 5 and later, iPad 4 and later, as well as the 6th generation iPod. The vulnerability is caused by an issue with Apple devices that contain a Broadcom WiFi chip. A talk detailing this vulnerability is scheduled to be held at the next BlackHat hacker conference in Las Vegas. Unfortunately both major mobile operating systems have been plagued with security issues and will continue to for the foreseeable future.