Security experts continue to report incidents caused by the Ghost Push Android malware, the threat that has been ongoing for more than a year now.
The Ghost Push Android Continues to Grow
Some of the first reports that mention the Ghost Push malware have been made by Trend Micro researchers in September last year. The malware was being distributed via infected applications from both the Google Play Store and other third-party repositories.
Ghost Push is actually a whole family of related malware. Depending on the variant and its configuration the threats follow this algorithm:
- Encrypt the APK and shell code
- Run a malicious DEX without user notification
- Create and add a “guard code” that monitors the malware process execution
- Rename the malicious APK file to install other malicious apps
- Launch the new activity as the payload
The majority of the contemporary infections come from sideloaded applications – programs installed from sources other than the Google Play app store.
In 2015 alone Ghost Push has infected about 900 000 Android devices. The Trojan hides itself inside other applications and its code allows it to obtain full root access to the victim device.
In some of the latest attacks Ghost Push has changed the infection tactics, some of the latest distribution methods include malicious links that are promoted by hijacked malicious sites.
The top two carrier applications are the “Wireless Optimizer” and “WiFi Master Pro”, both of them run on rooted devices and display malicious ads. Ghost Push has been found to affect mostly users located in Colombia, Vietnam and Malaysia.
The newest iteration of the threat has the capability to root all Android devices except for the ones running Android version 6.0. According to the 2015 Trend Micro security report, there are more than 20 variants of the Ghost Push code in total. They can be found in more than 600 compromised Android applications.