Pierluigi Paganini July 18, 2017

The GhostCtrl backdoor, is an OmniRAT-Based Android malware that can spy on victims, steal data and take over Windows System using the RETADUP infostealer.

Today’s smartphones are as powerful as the computers of only a few years ago. Unfortunately, that also means that Android phones have as many instances of malware as desktop and laptop computers. In 2016, Kaspersky Lab registered nearly 40 million attacks by malicious mobile software. Since smartphones are essentially full computers in your pocket, the bad guys are able to use many of the same techniques and in sometimes even the same tools! In late 2015 researchers at Avast discovered bad guys using the OmniRat remote administration tool (RAT) to compromise Android phones. On its own OmniRat is not malicious. It is a very capable tool for IT folks to provide remote support for Android users and even allows for remote access to Windows, Linux and Mac systems. It was also a very good tool for the bad guys to access your systems.

After several quiet months, OmniRat variants have been spotted in the wild and the software has benefitted from some significant updates since we last saw it. Dubbed GhostCtrl by Trend Micro researchers, it can do some “traditional” mobile malware things like:

• Upload and download files to or from the bad guys’ servers
• Send SMS messages to specified numbers (usually extra fee numbers)
• Provide real time sensor data

As well as some very cool, and scary new things like:

• Control the system infrared transmitter
• Surreptitiously record voice, audio or video
• Use the text-to-speech feature (i.e. translate text to voice/audio)
• Clear/reset the password of an account specified by the attacker
• Make the phone play different sound effects
• Terminate an ongoing phone call
• Use the Bluetooth to search for and connect to another device.

“The information-stealing RETADUP worm that affected Israeli hospitals is actually just part of an attack that turned out to be bigger than we first thought—at least in terms of impact. It was accompanied by an even more dangerous threat: an Android malware that can take over the device.” states the analysis from Trend Micro.

“Detected by Trend Micro as ANDROIDOS_GHOSTCTRL.OPS / ANDROIDOS_GHOSTCTRL.OPSA, we’ve named this Android backdoor GhostCtrl as it can stealthily control many of the infected device’s functionalities.”

This is scary enough — especially when you consider that there are a lot of bad guys out there that are only now starting to think of creative ways to exploit these new capabilities — GhostCtrl doesn’t limit itself to Android devices. Compromising a smartphone gives you access to a powerful computer, but most bad guys are after information. GhostCtrl comes with the RETADUP worm which was recently discovered stealing information from Windows systems in Israeli hospitals.

“GhostCtrl’s combination with an information-stealing worm, while potent, is also telling. The attackers tried to cover their bases, and made sure that they didn’t just infect endpoints. And with the ubiquity of mobile devices among corporate and everyday end users, GhostCtrl’s capabilities can indeed deliver the scares.” continues Trend Micro.

How Do You Get Infected?

GhostCtrl comes as an Android Application Package (APK) masquerading as a legitimate Android app such as WhatsApp, Pokemon Go, MMS — anything that will appeal to users. When the wrapper APK is launched, it decodes text from the resource file, writes this string as another APK and then launches this Malicious APK prompting the user to install it. It is easy to see how a user could be fooled or confused as to what file is asking to be installed and proceeding. Once the malicious software is installed the wrapper APK runs it as a service with no visible icon allowing the malware to run silently in the background.

Once the malicious application is running in the background, it contacts Command and Control (C&C) servers on the Internet to determine its next actions as described above. Depending on the infected target and the motivations of the bad guys the GhostCtrl malware could be used for any number of malicious activities. If the infected phone is only used by an individual at home, ransomeware at the lock screen or pay-for-use SMS messaging is a good bet. However, since GhostCtrl has also been linked with RETADUP, bad guys could find themselves with an Android-based back channel into a Windows environment inside an enterprise, which offers many more opportunities for money making.

There have already been three versions of the GhostCtrl RAT identified in the wild, each adding features and capabilities to the previous version. You should expect that it will continue to be enhanced as it continues to be successful in making money for the authors. And while the Google Play store has hosted malware for brief periods of time, it is unlikely that an APK downloaded from the official Play Store will be GhostCtrl. If you are getting your APKs from anywhere else, you should brace for the worst.

About the author:  Steve Biswanger has over 20 years experience in Information Security consulting, and is a frequent speaker on risk, ICS and IoT topics. He is currently Director of Information Security for Encana, a North American oil & gas company and sits on the Board of Directors for the (ISC)2 Alberta Chapter.