With Halloween just around the corner, now seemed the perfect time for the Ghost Push malware to reappear. This infection, first reported in mid-September 2015, is known for being one of the quickest spreading viruses in recent memory. Now, Android users should be on the lookout for this dangerous infection.
Ghost Push malware: Introduced with a bang
While some infections take the slow-and-steady route, particularly at first to prevent detection, Ghost Push seemed to take the opposite approach. According to VentureBeat, this sample was first discovered last month by Cheetah Mobile security researchers. At that time, it was infecting over 600,000 users on a daily basis. Researchers believed the infection was being spread by malware in commercial or browser ads, impacting more than 14,000 different types of mobile phones across over 3,000 brands.
Once a device is infected, Ghost Push works to install apps that are not only downloaded without the user's permission, but have been found to be incredibly difficult to remove. Researchers discovered that even devices with antivirus or factory reset capabilities in place were unsuccessful at uninstalling the apps downloaded by the infection. After gaining root access, Ghost Push can also considerably slow down a device's performance, drain its battery and consume a considerable amount of cellular data with its malicious capabilities, VentureBeat reported.
Over the course of Cheetah Mobile's investigation, the team found nearly 40 apps infected with Ghost Push. Most of these were fraudulent applications created with the intent to infect users and were being released in third-party app stores. Researchers advised taking a close look at application labels – if the package name includes something like "com.abc.yinhe," the app is potentially a front for Ghost Push and users should avoid downloading it.
Ghost Push grows: Expanding the infection scope
Trend Micro reported at the end of September that additional investigation showed that Ghost Push had an even more expansive reach than initially thought. At that time, the group behind the infection had published more than 600 malicious applications, or over 1,000 in total counting different app versions. All of these were published in third-party app stores as opposed to the official Google Play. A single one of these applications had already infected more than 100,000 devices, another two combined tallied 10,000 infections and seven applications infected over 1,000 users in total.
Unlike the first applications discovered as part of Ghost Push, more recent versions are increasingly malicious, Trend Micro researchers found. These newer apps employ several strategies to make them even more difficult to remove from a device, including encrypting the APK and shell code, running a malicious DEX file without user permission, implementing a "guard code" to monitor activities and launching these new processes as part of the payload.
Some of the Android apps infected with Ghost Push include Demo, Door Screen Locker App, Loud Caller Name Ringtone, MagicStarMatchSweetDubbing, Photo Background Changer – Ultimate, Photo Cut Paste, Puzzle Bubble-Pet Paradise, RootMasterDemo and SuperZoom.
Researchers also found that Ghost Push had been active since April, but the group behind it created more variants in September than any previous month. Since its deployment, most infections have taken place in India, Indonesia and Malaysia. These locations represent more than 63 percent of the total infections.
Making matters worse is that Trend Micro researchers also uncovered that the group behind Ghost Push published two legitimate apps – Popbird, which was downloaded up to 10,000 times, and Daily Racing, which saw as many as 5,000 downloads – in Google Play, which were quickly removed.
"These show that this group possess ample technical knowledge to effectively victimize thousands of devices and evade detection," Trend Micro researchers Yang Yang and Jordan Pan wrote in a blog post.
Protecting against Ghost Push
In the current threat environment, it has become more important than ever for all users to observe safety practices and protect themselves from infections like Ghost Push.
"Now that consumerization is prevalent in enterprises, malware apps like this can easily get into corporate devices as well," Yang and Pan wrote. "As such, it is important for both individuals and companies to extend security to mobile devices."
In addition to avoiding third-party app stores, users and businesses can also leverage specialized security systems. Trend Micro offers security solutions specially designed for Android devices, helping to bolster mobile protection.