- encrypt its APK and shell code,
- run a malicious DEX file without notification,
- add a “guard code” to monitor its own processes,
- rename .APK (Android application package) files used to install the malicious apps,
- and launch the new activity as the payload.
- {blocked}.{blocked}dn.com /testapk/[sample name].apk
- {blocked}.{blocked}ecdn.com/testapk/[sample name].apk
- {blocked}.{blocked}dn.com/testapk/[sample name].apk
- {blocked}.{blocked}n.com:80/testapk/[sample name].apk
Figure 1. Number of Ghost Push Android malware variants since April 2015
- Demo
- Door Screen Locker App
- Loud Caller Name Ringtone
- MagicStarMatchSweetDubbing
- Photo Background Changer - Utltimate
- Photo Cut Paste
- Puzzle Bubble-Pet Paradise
- RootMasterDemo
- SuperZoom
- 开心捕鱼
Figure 2. Countries affected by Ghost Push
Figure 3. Typical permissions asked by a Ghost Push variant
Figure 4. Screenshot of the malicious Daily Racing app
New Variants Sport Guard Code, Other Features Ghost Push malware apps are downloaded by unsuspecting users in third party app stores. The shell APK file decodes a DEX file in the assets directory. This file is sometimes named protect.apk. Once done, the app runs the malicious DEX file without showing any icon or notification. After the DEX is loaded, the malware can then start launching other malicious activities and services, including automatically running the app on startup. The app then proceeds to root the device and then store the malicious payload in the memory. It uses the “chattr + i” command line to render the app an immutable object or one that can’t be erased even if users upgrade their software.Figure 5. Ghost Push launches the new activity as the payload
Note that the Ghost Push malware automatically encrypts and decrypts itself throughout this process to hide critical information like files, strings and shellcode.
Figure 6. Ghost Push malware encrypts its APK
Figure 7. Ghost Push malware encrypts its shellcode
Figure 8. Ghost Push malware decrypts information
However, unlike with older variants, the newer Ghost Push malware uses the “Process watcher” command as a guard code to monitor existing processes in the device and ensure that malicious routines are running. This guard code also helps the malware calculate how much remaining space there is left for installing malicious apps.
Figure 9. Ghost Push malware uses “Process Watcher” to ensure that routines are running
Some of the newer variants also do not manifest routines from older versions, such as disabling devices’ WiFi connection to download malicious apps using mobile data connection. They also rename APKs’ package name to avoid conflicting with origin ones.
Figure 10. Ghost Push malware renames APKs
Since the device is already rooted and the process watcher is monitoring processes that might notify users, the app is free to do malicious routines. These include installing unwanted apps and ads, activating apps and ads when the screen is on, stealing personal information found on devices, and updating the malicious apps installed.
Solutions and Detections Customers using Trend Micro mobile solutions are protected from threats related to Ghost Push as we have been blocking and monitoring related malware since April this year. Threats like Ghost Push are detrimental to the privacy of device users. To defend from similar apps which go to great lengths to conceal and guard its processes, device users should take note of the following best practices:- Limit downloads to official app stores and even so remain updated with apps that are reported to be malicious.
- Secure Android devices with mobile solutions that are constantly updated to defend from the latest threats and blocks malware before installation, such as the Trend Micro™ Mobile Security.
- AndroidOS_Masksys.CBT SHA1: b341bf8a492ce482c8b0fee925a8ceee80ad0efa
- AndroidOS_Syscore.CBT SHA1: c4c9df3a1ec5d46c2a7203f7e903d77cd8da97aa
- AndroidOS_MaskSys.HRX SHA1: 0f0654f0de23c3efeae3a3cf8bcdd8346a8cf280