New “Ghost Push” Variants Sport Guard Code; Malware Creator Published Over 600 Bad Android Apps
By Yang Yang, Jordan Pan
Halloween is still a month from now and yet Android users are already being haunted by the previously reported “Ghost Push” malware, which roots devices and makes them download unwanted ads and apps. The malware is usually packaged with apps that users may download from third-party app stores.
Further investigation of GhostPush revealed more recent variants, which, unlike older ones, employ the following routines that make them harder to remove and detect:
- encrypt its APK and shell code,
- run a malicious DEX file without notification,
- add a “guard code” to monitor its own processes,
- rename .APK (Android application package) files used to install the malicious apps,
- and launch the new activity as the payload.
More than 20 kinds of Ghost Push variants are now being circulated in the wild and some are from the following URLs:
- {blocked}.{blocked}dn.com /testapk/[sample name].apk
- {blocked}.{blocked}ecdn.com/testapk/[sample name].apk
- {blocked}.{blocked}dn.com/testapk/[sample name].apk
- {blocked}.{blocked}n.com:80/testapk/[sample name].apk
Ghost Push have been active since April this year but has produced more variants in September than in months before.
Figure 1. Number of Ghost Push Android malware variants since April 2015
Apart from the 39 previously reported applications, the following is a sample list of Android apps infected with Ghost Push:
| Sample List of Android Apps Infected with Ghost Push Malware |
| Demo |
| Door Screen Locker App |
| Loud Caller Name Ringtone |
| MagicStarMatchSweetDubbing |
| Photo Background Changer – Utltimate |
| Photo Cut Paste |
| Puzzle Bubble-Pet Paradise |
| RootMasterDemo |
| SuperZoom |
| 开心捕鱼 |
Devices infected by the Ghost Push malware are located mostly in India (31.69%), Indonesia (23.54%), and Malaysia (8.18%).
Figure 2. Countries affected by Ghost Push
Note that the GhostPush Android malware is in no way related to the XcodeGhost iOS threat. They may both contain “Ghost” in their names but they are fundamentally different threats. GhostPush apps are sourced from third-party app stores while XcodeGhost apps were published in the official App Store.
Over 600 Android Apps Published by Ghost Push Creator
It is likely that a team of cybercriminals are behind Ghost Push and they are not exactly new to the malware creation industry. This group has already published a total of 658 different malicious applications (1,259 different versions) in third party app stores unrelated to Ghost Push. One of these apps have infected more than 100,000 devices; two, more than 10,000; and seven, more than 1,000.
We also found two legitimate apps unrelated to Ghost Push that the same creators published on Google Play, which have since been removed. The app Popbird (com[dot]wenzhuo[dot]popbird) generated 5,000 to 10,000 downloads while the app Daily Racing (com[dot]leo[dot]car[dot]en) had about 1,000 to 5,000 downloads before they were taken down.
These show that this group possess ample technical knowledge to effectively victimize thousands of devices and evade detection.
Figure 3. Typical permissions asked by a Ghost Push variant
Figure 4. Screenshot of the malicious Daily Racing app
New Variants Sport Guard Code, Other Features
Ghost Push malware apps are downloaded by unsuspecting users in third party app stores. The shell APK file decodes a DEX file in the assets directory. This file is sometimes named protect.apk. Once done, the app runs the malicious DEX file without showing any icon or notification. After the DEX is loaded, the malware can then start launching other malicious activities and services, including automatically running the app on startup.
The app then proceeds to root the device and then store the malicious payload in the memory. It uses the “chattr + i” command line to render the app an immutable object or one that can’t be erased even if users upgrade their software.
Figure 5. Ghost Push launches the new activity as the payload
Note that the Ghost Push malware automatically encrypts and decrypts itself throughout this process to hide critical information like files, strings and shellcode.
Figure 6. Ghost Push malware encrypts its APK
Figure 7. Ghost Push malware encrypts its shellcode
Figure 8. Ghost Push malware decrypts information
However, unlike with older variants, the newer Ghost Push malware uses the “Process watcher” command as a guard code to monitor existing processes in the device and ensure that malicious routines are running. This guard code also helps the malware calculate how much remaining space there is left for installing malicious apps.
Figure 9. Ghost Push malware uses “Process Watcher” to ensure that routines are running
Some of the newer variants also do not manifest routines from older versions, such as disabling devices’ WiFi connection to download malicious apps using mobile data connection. They also rename APKs’ package name to avoid conflicting with origin ones.
Figure 10. Ghost Push malware renames APKs
Since the device is already rooted and the process watcher is monitoring processes that might notify users, the app is free to do malicious routines. These include installing unwanted apps and ads, activating apps and ads when the screen is on, stealing personal information found on devices, and updating the malicious apps installed.
Solutions and Detections
Customers using Trend Micro mobile solutions are protected from threats related to Ghost Push as we have been blocking and monitoring related malware since April this year.
Threats like Ghost Push are detrimental to the privacy of device users. To defend from similar apps which go to great lengths to conceal and guard its processes, device users should take note of the following best practices:
- Limit downloads to official app stores and even so remain updated with apps that are reported to be malicious.
- Secure Android devices with mobile solutions that are constantly updated to defend from the latest threats and blocks malware before installation, such as the Trend Micro™ Mobile Security.
Now that consumerization is prevalent in enterprises, malware apps like this can easily get into corporate devices as well. As such, it is important for both individuals and companies to extend security to mobile devices. Mobile application management for enterprises identifies and blocks risky apps before they get inside mobile devices.
The following detections are related to Ghost Push:
- AndroidOS_Masksys.CBT
SHA1: b341bf8a492ce482c8b0fee925a8ceee80ad0efa - AndroidOS_Syscore.CBT
SHA1: c4c9df3a1ec5d46c2a7203f7e903d77cd8da97aa - AndroidOS_MaskSys.HRX
SHA1: 0f0654f0de23c3efeae3a3cf8bcdd8346a8cf280