Security Architecture, Endpoint/Device Security, Endpoint/Device Security, Security Strategy, Plan, Budget, Incident Response, TDR, Threat Management, Malware, Endpoint/Device Security, Endpoint/Device Security, Endpoint/Device Security

Ghost Push possesses Android devices; only version 6.0 is safe

“I ain't afraid of no Ghost Push?" Better think again if you're an Android user with a device operating on anything lower than version 6.

According to researchers at Cheetah Mobile, the latest iteration of the old Ghost Push trojan – discovered in September 2015 – is capable of rooting almost all phones running on Android Lollipop or any OS that preceded it. According to Google's latest platform statistics (dated Sept. 5), only 18.7 percent of Android users are on version 6.0 – aka Marshmallow – or higher, meaning there are plenty of potential victims still susceptible to this threat.

In a blog post published last Friday, the Chinese mobile Internet company analyzed its recent mobile device scanning data and found that the most common malware programs spreading to devices via malicious links all belonged to the Ghost Push family. Among them was a malicious program called Wireless Optimizer, which promotes various ads, apps and web pages – some pornographic – but also secretly roots victims' phones, and tricks users into spending money or downloading additional malware.

The dataset appears to comprise all of August 2016. has reached out to Cheetah Mobile to confirm.

“Through pushing ads and distributing apps to these users, the trojans can make profits constantly,” the blog post explains. Meanwhile, the malware roots the infected phone by uploading its model information and obtaining ELF (Executable Linkable Format) files for that model.

As a means of evading detection, the malware hides its core coding in its system directory in order “to disguise the malware as the built-in apps of the phone.” And as an additional protective measure, it prevents third parties from taking over root privilege.

Most of the links that delivered the malware to users were short links and ad links, Cheetah Mobile reported. Malaysia (14 percent), Vietnam (13 percent), and Colombia (10 percent) saw the highest percent of infections, with the U.S. registering at two percent.

Android users can dodge the threat by upgrading their phones to version 6.0. But for now, most users remain on Lollipop (35 percent) or an even earlier version.

"When you compare the take-up of new versions of Android compared to Apple iOS it's clear that one ecosystem does a much better job of getting its users to upgrade to the latest version of their OS, protecting against security vulnerabilities, than the other," wrote security researcher Graham Cluley Monday in a Tripwire blog post. "If you buy a smartphone manufactured by Google, you're probably going to have a route for receiving new Android operating system updates within a reasonable amount of time. [But] the problem for owners of many other devices is that carriers, smartphone manufacturers and Google all have to work in unison to get an update pushed out to users. And they just don't seem to have enough incentive to pull together in the right direction for the benefit of their customers."

Cheetah Mobile also looked at malicious mobile applications that were distributed by third-party sources that the security firm was unable to identify. In these instances, the company found two Trojans that were primarily responsible for distributing malware and unwanted apps: com.sms.syss.maanger and Mobile users in India experienced the majority of these malware infections in August – over 50 percent – followed by device-owners in Indonesia and the Philippines. Collectively, the two Trojans were found promoting around 30,000 to 40,000 apps per day.

Bradley Barth

As director of multimedia content strategy at CyberRisk Alliance, Bradley Barth develops content for online conferences, webcasts, podcasts video/multimedia projects — often serving as moderator or host. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.