GhostCtrl malware masquerades as popular apps to take over Android phones

WhatsApp, Pokemon GO and others have been imitated

Trend Micro has raised an alert on new malware called GhostCtrl, which is able to steal all sorts of data from Android phones and is based on OmniRAT.

GhostCtrl is a remote access trojan, or RAT, for Android software. Like all the best threats, it lurks in the background and operates right under users' noses. The malware is a variant of OmniRAT, a piece of malware that can affect Android, Windows, Linux and Mac systems. Trend Micro says that there are three variants out there, and that the third version is a compilation or ‘best of' the previous two attack methods and their features.

The attack has already proved itself. "The information-stealing RETADUP worm that affected Israeli hospitals is actually just part of an attack that turned out to be bigger than we first thought—at least in terms of impact. It was accompanied by an even more dangerous threat: an Android malware that can take over the device," said Trend Micro's researchers.

"Detected by Trend Micro as ANDROIDOS_GHOSTCTRL.OPS / ANDROIDOS_GHOSTCTRL.OPSA, we've named this Android backdoor GhostCtrl as it can stealthily control many of the infected device's functionalities."

OmniRat is a bought and sold threat, and GhostCtrl makes use of its much promised one-button Android takeover feature and the fact that it usurps known brands, such as WhatsApp, to get installed on Android devices.

"The malware masquerades as a legitimate or popular app that uses the names App, MMS, WhatsApp, and even Pokemon GO. When the app is launched, it base64-decodes a string from the resource file and writes it down, which is actually the malicious Android Application Package (APK)," added Trend Micro.

"The malicious APK, after dynamically clicked by a wrapper APK, will ask the user to install it. Avoiding it is very tricky: even if the user cancels the ‘ask for install page' prompt, the message will still pop up immediately. The malicious APK doesn't have an icon. Once installed, a wrapper APK will launch a service that would let the main, malicious APK run in the background."