A new variant of Android malware discovered in the wild is threatening not just Android devices but Windows, Linux and Mac machines as well.
First detected by mobile security firm Trend Micro, the Android backdoor dubbed GhostCtrl has proven to be more powerful than standard mobile malware. It can give the attacker the ability to invade a person’s privacy by recording audio or video from the device and provide access to other systems.
In some ways, GhostCtrl behaves like standard Android malware. It gives the attacker the ability to upload and download files from a remote server to the infected device, can send SMS messages—usually at a fee—to numbers without permission, and send information recorded from the device.
In other ways, the malware strain is much more powerful than the typical attack. It won’t just grab information from the infected handset, it can also record audio and video without the owner’s permission. It can also use the text-to-speech feature, play sound effects, terminate an outgoing call, use Bluetooth to connect to another device and clear or reset the password of an account on the device.
Even worse, the malware isn’t limited to just taking advantage of Android devices. GhostCrtl also includes a worm called RETADUP that is capable of stealing information from Windows systems by using a connected, infected Android device as a back channel.
“GhostCtrl’s combination with an information-stealing worm, while potent, is also telling. The attackers tried to cover their bases, and made sure that they didn’t just infect endpoints. And with the ubiquity of mobile devices among corporate and everyday end users, GhostCtrl’s capabilities can indeed deliver the scares.” researchers at Trend Micro said.
There have already been three versions of GhostCtrl identified in the wild, each of which with a new wrinkle that poses more threat to owners of Android devices. The inclusion of RETADUP, which was recently discovered stealing information from Windows machines in Israeli hospitals, extends the threat of the malware beyond mobile.
It goes without saying that most people would like to avoid being infected by any version of GhostCtrl. The malicious software often comes disguised as legitimate apps, using compromised versions of WhatsApp and Pokémon Go among others as its cover.
If a user downloads one of those corrupted apps—often found on third-party app marketplaces—and goes to open the download, the Android Application Package (APK) will launch GhostCtrl and prompt the user to install it. Once installed, GhostCtrl gives no indication that it is on the device. It runs silently in the background as the attacker gains access to the compromised handset.
The best step a user can take to avoid being infected by GhostCtrl is to download apps through the Google Play Store. While Google’s official marketplace hasn’t been as successful at keeping out malicious software as one might hope, it’s still a much safer bet than the wild west of third-party alternatives.