This article was published on July 18, 2017

Old Android malware uses new tricks to turn your phone into a spying device


Old Android malware uses new tricks to turn your phone into a spying device

Weeks after discovering a malicious agent programmed to snatch patient data from Israeli hospitals, Dutch cybersecurity firm Trend Micro has come across another nasty attack vector: An Android vulnerability that allows ill-intended individuals to surreptitiously take over control of your device.

Dubbed GhostCtrl, Trend Micro researchers claim they have been able to detect at least three distinctive variations of the malware. While the first two were designed to scrape data and remotely control various phone features, the third iteration combines the best of the previous two – and then adds more.

The worst part is that the cybersecurity pundit predicts the vulnerability will continue to evolve.

According to their findings, GhostCtrl is an extension of the data-extracting worm spreading among Israeli hospitals and the infamous OmniRAT exploit that first made headlines with its claims to remotely hijack Windows, Mac and Linux systems via any Android device – and vice versa.

The malicious software is often camouflaged as legitimate apps such as WhatsApp and Pokemon Go. Once launched, the main app proceeds to install a hidden malicious Android Application Package (APK) that runs in the background.

The <3 of EU tech

The latest rumblings from the EU tech scene, a story from our wise ol' founder Boris, and some questionable AI art. It's free, every week, in your inbox. Sign up now!

At that point, attackers can exploit this backdoor to get infected devices to do its bidding. Trend Micro warns that the flaw allows for the execution of a fairly wide range of commands, enabling hackers to specify and target the content without the owner’s consent or knowledge.

The company has since published a list of executable action codes that allows hackers to:

  • Monitor your sensors’ data in real-time
  • Delete, modify and transfer files in your system
  • Call and send texts to your contacts
  • Collect information like call logs, SMS records, location entries as well as browser bookmarks.

Here is the full list:

In addition to all of this, the researchers note that GhostCtrl also has the capacity remotely reset passwords, play different sounds on your phone, record and distributed footage, control your Bluetooth and more.

This essentially means that once an attacker has succeeded to infect your system, your device has been all but transformed into a full-fledged covert listening device specifically equipped to spy on you.

“The attackers tried to cover their bases, and made sure that they didn’t just infect endpoints,” Micro Trend researchers remarked. “And with the ubiquity of mobile devices among corporate and everyday end users, GhostCtrl’s capabilities can indeed deliver the scares.”

To steer away from trouble, Trend Micro advices users to promptly update their phones to the latest version of Android available, restrict user permissions on their personal devices, and regularly back up their data.

Get the TNW newsletter

Get the most important tech news in your inbox each week.

Also tagged with