Cheetah Mobile says the scourge of Ghost Push malware is still taking its toll on Android devices nearly two years after making its debut. Now the research firm is trying to track down how Ghost Push and other Trojans have remained so prolific despite mitigation efforts.
In a report released Friday analyzing major sources of mobile Trojans, Cheetah Mobile Security Research Lab said the majority of Trojan infections today come from outside the Google Play app store. It also reported that Trojans account for one percent of the millions of apps downloaded each day. The most prolific Trojan sample is Ghost Push.
For years, Ghost Push made a name for itself infecting as many as 900,000 Android devices in 2015. The Trojan hides itself inside apps and is able to obtain full root access. The app is known for its stealth and ability to sneak onto apps available on Google Play, and is often bundled with bogus versions of popular apps such as Super Mario, WiFi Enhancer and WordLock.
Ghost Push made a name for itself for its ability to bypass Google Play’s and other third-party app store’s security measures. Since raising defenses at Google Play, researchers say Ghost Push and other Trojans have changed infection tactics and are finding new victims via malicious links promoted via mobile websites, say researchers. Of the top 12 malware samples spreading through malicious links, all of them belong to the same Ghost Push Trojan family, Cheetah reports.
However, the company said most Trojans are downloaded from unknown sources. “According to the statistics, about one-third of applications are downloaded and installed to users’ phones without setting ‘installer’, meaning that the sources of these apps cannot be tracked. Unfortunately, the majority of mobile Trojans are from these unknown sources,” Cheetah reports.
It suspects that malware from these unknown sources is coming from downloads offered at pornographic websites, deceptive advertising links and via in-app ads that promote the malicious apps. When users click on links, the top two Trojan-laced apps, according to Cheetah, are Wireless Optimizer and WiFi Master Pro that both root targeted phones and show malicious ads.
Hardest hit regions by Ghost Push and other Trojans are Malaysia, Vietnam and Colombia.
When Cheetah traced those hyperlinks back to their origins it found the majority were short URLs that referred traffic to a malicious link. Diving deeper into websites serving up links to Trojans, Cheetah found that most originated via an ad, porn site, music piracy site or a “blogger” site.
“As the Trojan has updated the root samples several times, currently, it is able to root almost all Android versions except for Android 6.0,” Cheetah reported. According to a 2015 Trend Micro report, there are more than 20 variants of Ghost Push code in the wild buried inside more than 600 “bad” Android apps.
Earlier this year when Google released its annual security report it found that a company in Southeast Asia responsible for providing OTA update infrastructure and updates to Android manufacturers and carriers was compromised and attempting to distribute the Ghost Push Trojan.
“We were able to determine that the large number of installation attempts we saw were caused by the OTA company continuously trying to install Ghost Push applications on user devices. In some instances, bugs in the application installation software caused the OTA company to try to install the same application hundreds of times onto a single device—with all but one installation attempt failing,” Google said in its report. Google said more than 40,000 Ghost Push apps and more than 3.5 billion installation attempts were recorded.
