Ghost Push Malware Still Taking a Toll on Android Devices Through Malicious Links

Source: https://threatpost.com/ghost-push-trojan-flourishing-via-malicious-links/121310/, http://www.cmcm.com/blog/en/security/2016-10-14/1031.html(Threatpost, CheetahMobile)

Cheetah Mobile a company that strives to provide faster, simpler and safer mobile internet experience for users worldwide, is saying that Ghost Push malware family is still taking a toll on Android devices even after it’s nearly two-year debut. According to researchers at CM lab, the majority of Trojan infections today come from outside the Google Play app store and said that that Trojans account for one percent of the millions of app downloads a day. Over the years Ghost Push has been infecting thousands of Android device and as many as 900,000 devices in 2015 alone. The trojan can hide inside apps and is able to obtain full root access. This trojan is known for its stealth and has the ability to sneak onto other apps available on the Google Play store, finding that it is often bundled with fake versions of popular apps like Super Mario, WiFi Enhancer, and WordLock. Ghost Push is well known for its ability to bypass Google Play’s and other third-party app store’s security measures. Though Cheetah Mobile says that most of these Trojans are downloaded from unknown sources, and when they’re installed on users’ phones without setting ‘installer’ the source of these apps cannot be tracked.

Researchers at Cheetah Mobile are suspecting that the malware from these unknown sources is coming from downloads offered in pornographic websites, deceptive advertising links, and through in-app ads that promote these malicious apps. When hyperlinks were traced back to their origins the company found that the majority were short URLs that referred to a malicious link.

Global regions who were hit the hardest by Ghost Push and other Trojans include Malaysia, Vietnam, and Colombia. According to researchers at CM as the Trojan has updated its root samples several times it is currently able to root almost all Android versions except for Android 6.0. In the 2015 Trend Micro report, more than 20 variants of Ghost Push code are in the wild buried inside more than 600 malicious Android applications. As Google released it’s annual security report earlier this year is found that a company in Southeast Asia responsible for providing the Office of Technology Assessment (OTA) update infrastructure and updates to Android manufacturers and carriers was compromised and attempting to spread the Ghost Push Trojan.