GhostPush Android Botnet

Sofia Luis | April 21, 2016 | tag: BitSight

GhostPush is an Android malware that was first discovered in September 2015. Once installed on a user’s device, it will display unsolicited advertising, and install unwanted applications on the user’s device. This malware is also known for rooting the user’s device and making itself very hard to uninstall.

Recently, AnubisNetworks was able to sinkhole one domain that is used by one variant of this malware family. Once the domain was configured to point to our platform, we immediately started receiving a large number of HTTP requests that sum about 200,000 devices on a 24 hour period.

The infections came from all over the world, but mainly from India (about 50%) as shown in this chart:

8anubisblog1.png

The bots that connected to our sinkhole were sending in cleartext some interesting information. The following is an example of the contents of one of these requests:

Payload (HTTP POST data example):

8anubisblog2.png

We then decided to take a quick look at one of the APK’s that were producing this traffic. 

After decompiling the Application, we found the function responsible for sending the data. Part of this function is shown in the following image:

8anubisblog3.png

Looking further at the decompiled code, we found several other suspicious pieces of code that matched the public reports (see references) on the GhostPush malware family:

The application checks if the following files exist, and it creates them if they don’t:

8anubisblog6.png

The application drops an ELF file on the file system:

8anubisblog4.png

During our non exhaustive analysis of the malware sample we were able to observe indicators of the following malicious activities:

  • Drops and executes an ELF file;
  • Downloads and installs unsolicited APKs;
  • Displays adds to the user;
  • Steals sensitive data (e.g. IMEI, IMSI);
  • Checks for root permissions;
  • Changes files in the /system directory;

References:

The following links have further analysis of the malware family:

http://www.cmcm.com/blog/en/security-technology/malwares/2015-09-23/802.html

http://blog.trendmicro.com/trendlabs-security-intelligence/new-ghost-push-variants-sport-guard-code-malware-creator-published-over-600-bad-android-apps/

Samples:

8anubisblog5.png

 

 

Suggested Posts

Celebrating 10 Years of BitSight: A Co-Founder Looks Back

It’s hard to believe, but BitSight is celebrating our 10 year anniversary this week! I co-founded BitSight in 2011 with my friend and grad school classmate, Nagarjuna Venna. When I think back at our original idea of creating a global...

READ MORE »

Meet Our Customer Success Team: Ashley Ritrovato

Check out this Q&A with a US-based member of BitSight's Customer Success team to learn about her role as an BitSight Advisor & Customer Success Manager, her experience, and more.

READ MORE »

Meet Our Customer Success Team: Alessandra Pilloni

Check out this Q&A with a London-based member of BitSight's Customer Success team to learn about her role as an Customer Success Manager, her experience, and more.

READ MORE »

Get the Weekly Cybersecurity Newsletter.