Some versions of the malicious Android RAT named GhostCtrl can act not only as spyware, but also as ransomware, by leveraging the ability to reset passwords and lock device screens.
Some versions of the malicious Android RAT named GhostCtrl can act not only as spyware, but also as ransomware, by leveraging the ability to reset passwords and lock device screens.

Researchers have uncovered a highly versatile Android remote access trojan that hijacks device functionality, steals information and can even perform ransomware attacks.

The malicious backdoor, dubbed GhostCtrl, is part of a larger campaign that also involves the Windows-based information-stealing worm RETADUP.A, according to Trend Micro, whose researchers found both malwares. RETADUP was discovered on June 27 after samples were detected and blocked after attempting to infect two Israeli hospitals.

"The actors behind the attacks utilized both RETADUP and GhostCtrl. One targeted PCs while the other targeted Android users," said Jon Clay, director of global threat communication at Trend Micro, in an email interview with SC Media. "We're seeing more targeted attack actors utilize multiple malicious tools in their arsenal to ensure they are able to gather information and/or intelligence from their target victims."

Trend Micro did not further elaborate on why the two malwares are linked to the same actor, or if GhostCtrl similarly targeted health care institutions in Israel, or otherwise. SC Media has reached out for additional answers.

In a Monday blog post detailing the GhostCtrl threat, Trend Micro further reported that GhostCtrl gives attackers significant flexibility and options in terms specifying which malicious actions to perform and what content to steal. For instance, the malware can secretly upload and download files, intercept and send out SMS and MMS messages, run shell commands, call phone numbers, and even record voice and auto and exfiltrate those recordings to a malicious server.

Even more unusual for RATS, the spyware can clear or reset specific account passwords, control Bluetooth in order to search and connect other devices, and disconnect active phone calls. The ability to reset passwords, as well as lock device screens, allows some versions of GhostCtrl to potentially act as ransomware, forcing users to pay up in order to regain control of their devices.

The malware can also steal an "extensive" range of information, Trend Micro warned, including data related to call logs, SMS records, contacts, phone numbers, SIM serial numbers, usernames, locations, Android OS versions, Wi-Fi and Bluetooth, cameras, browsers, searches, service processes, activity information, and more.

Trend Micro reports that the malware either directly descends from or closely imitates the multiplatform OmniRAT malware that notably hijacks not only Android devices, but also Windows, Mac and Linux systems (although Trend Micro did not come across any GhostCtrl samples that could cross over to platforms besides Android).

There are actually three versions of the malware, each one offering an increasing number of functions capable of being hijacked, the report continues. The first version introduced a framework to enable admin-level privilege, while the second introduced the ransomware capabilities and allows attackers to root infected devices. The third version incorporates obfuscation techniques to hide malicious routines, and also uses both a wrapper and an intentionally complex infection sequence chain to make detection more difficult.

Android users can infect themselves with GhostCtrl by downloading fraudulent versions of legit apps. Trend Micro said that malicious APKs laced with GhostCtrl have used names such as "App," "MMS," "whatsapp" and "Pokemon GO." Upon downloading, the malicious app will repeatedly send users pop-up requests for installation, even when they refuse such an action, until they finally give up and comply.