GhostCtrl is an Android remote access trojan (RAT) believed to be a version of the OmniRAT. It infects users by disguising itself as a legitimate app that uses the names “App,” “MMS,” “whatsapp,” and “Pokemon GO.” Once the app launches, it base64-decodes a string from the resource file – a malicious Android Application Package (APK) file – and writes it down. It then asks the user to install it; even if the user cancels the “ask for install page” prompt, the message continues to pop up. Once installed, a wrapper APK launches as the malicious one runs in the background. There is no icon for the application.

GhostCtrl’s capabilities include: monitor the phone sensors’ data in real time; list the file information in the current directory and upload it to the C2 server; delete or rename a file in the indicated directory; upload a desired file in the C2 server; send customized SMS/MMS to a number specified by the threat actor; delete SMS; delete browser history; download files; call a specified phone number; open activity review-related apps; and run a shell command specified by the actor and upload the result. Once it takes control of an infected device, the trojan can reset the users’ PIN and display a ransom note to the victim. The trojan has three versions: the first permits it to gain admin-level privilege; the second can function as mobile ransomware, lock the device’s screen and reset its password, root the infected device, take control of the camera, and schedule a task to take pictures or record video and upload them to the C2 server; and the third version uses obfuscation techniques to hide its malicious activities using a long attack chain, making detection more difficult.  

Technical Analysis

  • Researchers at Trend Micro provide technical analysis here.
  • Researchers at BleepingComputer provide technical analysis here.