Security researchers from TrendLabs discovered ANDROIDOS_GHOSTCTRL.OPS / ANDROIDOS_GHOSTCTRL.OPSA and named this Android backdoor GhostCtrl as it can stealthily control many of the infected device’s functionalities.
GhostCtrl is actually a variant (or at least based on) of the commercially sold, multiplatform OmniRAT that made headlines in November 2015. It touts that it can remotely take control of Windows, Linux, and Mac systems at the touch of an Android device’s button—and vice versa. The malware masquerades as a legitimate or popular app that uses the names App, MMS, whatsapp, and even Pokemon GO.
One of the unique C&C commands is responible for stealing the device’s data. Different kinds of sensitive—and to cybercriminals, valuable—information will be collected and uploaded, including call logs, SMS records, contacts, phone numbers, SIM serial number, location, and browser bookmarks.
The data GhostCtrl steals is extensive, compared to other Android info-stealers. Besides information types like call logs, SMS records and phone numbers, GhostCtrl can also pilfer information like Android OS version, username, Wi-Fi, battery, Bluetooth, and audio states, UiMode, sensor, data from camera, browser, and searches, service processes, activity information, and wallpaper. It can also intercept text messages from phone numbers specified by the attacker.
Its most daunting capability is how it can surreptitiously record voice or audio, then upload it to the C&C server at a certain time. All the stolen content will be encrypted before they’re uploaded to the C&C server.
For more information: check the TrendLabs Security Intelligence blog.