GhostCtrl, a very dangerous malware poses as Pokémon GO or WhatsApp

A new malware has just appeared in the Android sphere. Named GhostCtrl, this one is able to steal a lot of information, control the 
terminal remotely and even act as a ransomware.






A computer worm recently hit Israeli hospitals to steal sensitive information from some patients. According to TrendMicro, it was only part of a larger attack, with a threat affecting Android devices as well.

A phantom malware
Named GhostCtrl by TrendMicro, the malware in question is divided into three different versions. The first allows him to obtain administrator rights on the device, then arrives the second able to steal information and act as a ransomware, and finally the third which makes the whole more opaque and conceals its actions.

Based on OmniRAT, a software capable of remotely controlling a wide range of Android, Windows, Linux or MacOS devices, GhostCtrl takes the name of common applications, from basic "App" or "MMS" to the most " WhatsApp "and" Pokemon GO ". Once the application in question is installed, it then asks the user to install a new APK through a pop-up that reappears looping until the user accepts the installation.


When the backdoor has been successfully installed, it then connects to remote servers through dynamic domain names (such as php.no-ip.biz or ayalove.no-ip.biz) IP of the server, which allows the hackers to easily change servers and thus be more difficult to catch, without losing the link with the already infected devices.

A very curious malware
TrendMicro says that the data collected by GhostCtrl is very numerous compared to the usual malware. The malware in question recovers the system version, the name of the user, the Wi-Fi networks to which it connects, the battery status, Bluetooth, the data of the various sensors, but also the history Search, browser data, wallpaper, and can both access the camera and microphones of the phone to spy on his victim.

As mentioned above, the second version of GhostCtrl can also act as a ransomware by locking the screen of the phone and changing the password and can even root the terminal and create a regular routine capturing a photo or video before Send to a remote server after encrypting it.

Caution First
As usual, we can advise you to avoid downloading applications from untrusted sources and to update your smartphone or tablet as soon as they are available.