Ghost Push

Ghost Push is a Trojan that originally surfaced in 2014, infecting 600,000 Android devices during its peak. After installation, a malicious DEX file, a file containing compiled Android application code, runs and roots the device, causing malicious processes to run upon startup of the app. This malware is able to install unwanted apps and programs onto a device, spy on users, steal personal information, and display ads tricking users to pay for additional “services”. Ghost Push is hidden in apps that are not downloaded through the Google Play store, but instead from outside parties. It has been detected in apps such as WiFi Enhancer, Privacy Lock, and Memory Booster and is often spread through malicious links, malvertising, and pornography websites.  Keeping your Android device up-to-date with Android Marshmallow 6.0 or Nougat 7.0 will keep your device safe from this Trojan. Ghost Push is found on outdated devices running Android Lollipop (Android 5.0), or earlier. If infected with this malware, devices can remove Ghost Push by flashing the ROM, updating the device to Android 6.0, or using a reputable antivirus application.


  • September 2015: Activity in Ghost Push spiked. (Android Authority)
  • October 2016: Cheetah Mobile publishes analysis of the sources of mobile Trojans. (Cheetah Mobile)

Technical Details

  • September 2015: Cheetah Mobile provides technical analysis of Ghost Push here.
  • September 2015: Trend Micro provides technical analysis of Ghost Push here.