New “Ghost Push” Variants Sport Guard Code

By Yang Yang, Jordan Pan Halloween is still a month from now and yet Android users are already being haunted by the previously reported “Ghost Push” malware, which roots devices and makes them download unwanted ads and apps. The malware is usually packaged with apps that users may download from third-party app stores. Further investigation of Ghost Push revealed more recent variants, which, unlike older ones, employ the following routines that make them harder to remove and detect:

encrypt its APK and shell code,
run a malicious DEX file without notification,
add a “guard code” to monitor its own processes,
rename .APK (Android application package) files used to install the malicious apps,
and launch the new activity as the payload.

More than 20 kinds of Ghost Push variants are now being circulated in the wild and some are from the following URLs:

{blocked}.{blocked}dn.com /testapk/[sample name].apk
{blocked}.{blocked}ecdn.com/testapk/[sample name].apk
{blocked}.{blocked}dn.com/testapk/[sample name].apk
{blocked}.{blocked}n.com:80/testapk/[sample name].apk

Ghost Push have been active since April this year but has produced more variants in September than in months before.

Figure 1. Number of Ghost Push Android malware variants since April 2015

Apart from the 39 previously reported applications, the following is a sample list of Android apps infected with Ghost Push:

Demo
Door Screen Locker App
Loud Caller Name Ringtone
MagicStarMatchSweetDubbing
Photo Background Changer - Utltimate
Photo Cut Paste
Puzzle Bubble-Pet Paradise
RootMasterDemo
SuperZoom
开心捕鱼

Devices infected by the Ghost Push malware are located mostly in India (31.69%), Indonesia (23.54%), and Malaysia (8.18%).

Figure 2. Countries affected by Ghost Push

Note that the Ghost Push Android malware is in no way related to the XcodeGhost iOS threat. They may both contain "Ghost" in their names but they are fundamentally different threats. Ghost Push apps are sourced from third-party app stores while XcodeGhost apps were published in the official App Store. Over 600 Android Apps Published by Ghost Push Creator It is likely that a team of cybercriminals are behind Ghost Push and they are not exactly new to the malware creation industry. This group has already published a total of 658 different malicious applications (1,259 different versions) in third party app stores unrelated to Ghost Push. One of these apps have infected more than 100,000 devices; two, more than 10,000; and seven, more than 1,000. We also found two legitimate apps unrelated to Ghost Push that the same creators published on Google Play, which have since been removed. The app Popbird (com[dot]wenzhuo[dot]popbird) generated 5,000 to 10,000 downloads while the app Daily Racing (com[dot]leo[dot]car[dot]en) had about 1,000 to 5,000 downloads before they were taken down. These show that this group possess ample technical knowledge to effectively victimize thousands of devices and evade detection.

Figure 3. Typical permissions asked by a Ghost Push variant

Figure 4. Screenshot of the malicious Daily Racing app

New Variants Sport Guard Code, Other Features Ghost Push malware apps are downloaded by unsuspecting users in third party app stores. The shell APK file decodes a DEX file in the assets directory. This file is sometimes named protect.apk. Once done, the app runs the malicious DEX file without showing any icon or notification. After the DEX is loaded, the malware can then start launching other malicious activities and services, including automatically running the app on startup. The app then proceeds to root the device and then store the malicious payload in the memory. It uses the “chattr + i” command line to render the app an immutable object or one that can’t be erased even if users upgrade their software.

Figure 5. Ghost Push launches the new activity as the payload

Note that the Ghost Push malware automatically encrypts and decrypts itself throughout this process to hide critical information like files, strings and shellcode.

Figure 6. Ghost Push malware encrypts its APK

Figure 7. Ghost Push malware encrypts its shellcode

Figure 8. Ghost Push malware decrypts information

However, unlike with older variants, the newer Ghost Push malware uses the “Process watcher” command as a guard code to monitor existing processes in the device and ensure that malicious routines are running. This guard code also helps the malware calculate how much remaining space there is left for installing malicious apps.

Figure 9. Ghost Push malware uses “Process Watcher” to ensure that routines are running

Some of the newer variants also do not manifest routines from older versions, such as disabling devices’ WiFi connection to download malicious apps using mobile data connection. They also rename APKs’ package name to avoid conflicting with origin ones.

Figure 10. Ghost Push malware renames APKs

Since the device is already rooted and the process watcher is monitoring processes that might notify users, the app is free to do malicious routines. These include installing unwanted apps and ads, activating apps and ads when the screen is on, stealing personal information found on devices, and updating the malicious apps installed.

Solutions and Detections Customers using Trend Micro mobile solutions are protected from threats related to Ghost Push as we have been blocking and monitoring related malware since April this year. Threats like Ghost Push are detrimental to the privacy of device users. To defend from similar apps which go to great lengths to conceal and guard its processes, device users should take note of the following best practices:

Limit downloads to official app stores and even so remain updated with apps that are reported to be malicious.
Secure Android devices with mobile solutions that are constantly updated to defend from the latest threats and blocks malware before installation, such as the Trend Micro™ Mobile Security.

Now that consumerization is prevalent in enterprises, malware apps like this can easily get into corporate devices as well. As such, it is important for both individuals and companies to extend security to mobile devices. Mobile application management for enterprises identifies and blocks risky apps before they get inside mobile devices. The following detections are related to Ghost Push:

AndroidOS_Masksys.CBT SHA1: b341bf8a492ce482c8b0fee925a8ceee80ad0efa
AndroidOS_Syscore.CBT SHA1: c4c9df3a1ec5d46c2a7203f7e903d77cd8da97aa
AndroidOS_MaskSys.HRX SHA1: 0f0654f0de23c3efeae3a3cf8bcdd8346a8cf280

Full details on IOCs can be found in the Ghost Push appendix. Updated on October 2, 2015, 12:21 AM (UTC-7) to fix formatting errors. Updated on October 2, 2015, 10:09 AM (UTC-7) to include the appendix.