Tech

Ghost Push malware evolves in Android app infection spree

Over 20 new variants of the malware in the wild embedded in Android apps are able to root devices and compromise systems.

Written by Charlie Osborne, Contributing Writer Oct. 1, 2015 at 3:42 a.m. PT

The Ghost Push malware continues to circulate in the wild and has been detected infecting Android apps to compromise user mobile devices.

Researchers at Trend Micro say the new variations are more difficult to detect and are pushing the malware epidemic to another level, with earlier research suggesting Ghost Push is infecting 600,000 users per day.

The malware enters mobile devices through users downloading malicious apps offered by third-party hosts rather than the official Google Play Store.

In total, 39 original apps -- including spoofed versions -- facilitated the spread, including WiFi Enhancer, Amazon, Super Mario, Memory Booster and WordLock.

It is worth noting that apps downloaded from the official Google Play Store are not the same as third-party versions, as the latter do not have to go through the security checks demanded by Google.

While Ghost Push has been active since April this year, activity spiked in September.

Further investigation has revealed Ghost Push is now being modified and over 20 variants of the malicious code is in the wild. The researchers say the new strains are more difficult to detect and eradicate as the variants not only encrypt their Android application package file (APK) -- used to install and distribute software -- and shell code, but also renames the .APK file used to install malicious code.

In addition, a "guard code" has been added to monitor its own processes.

The malware runs a malicious DEX file after installation, which does not show up through any icon or notification. Once the DEX file has loaded, other activities take place such as downloading malicious processes and running the app automatically on startup. The malware then roots the victim's device, storing payloads in memory to stop the erasure of Ghost Push on update.

Featured

The malware is then free to install unwanted apps and adverts, conduct surveillance and steal personal information.

Adding to the list of 39 applications known to be infected, some of the additional Ghost Push malware sources can be found in Android variations of Demo, Photo Background Changer Ultimate, Puzzle Bubble-Pet Paradise, RootMasterDemo, SuperZoom and Door Screen Locker.

Infections have mainly been discovered in India, Indonesia and Malaysia.

Trend Micro says the team behind Ghost Push have published over 650 malicious applications -- a total of 1,259 versions -- in third party application stores unrelated to the latest Ghost Push threat. The firm says one of these apps has already infected over 100,000 devices.

However, it does seem the cyberattackers are also looking towards Google Play to generate legitimate income, having published two now-removed apps, Popbird and Daily Racing, which generated thousands of downloads.

To avoid becoming an unwitting victim of the malware, you should only download Android mobile applications from the Google Play Store or trusted third parties.