<img height="1" width="1" style="display:none" src="https://www.facebook.com/tr?id=1175921925807459&amp;ev=PageView&amp;noscript=1">
Anubis BitSight Labs

GhostPush Android Botnet

Sofia Luis | April 21, 2016

GhostPush is an Android malware that was first discovered in September 2015. Once installed on a user’s device, it will display unsolicited advertising, and install unwanted applications on the user’s device. This malware is also known for rooting the user’s device and making itself very hard to uninstall.

Recently, AnubisNetworks was able to sinkhole one domain that is used by one variant of this malware family. Once the domain was configured to point to our platform, we immediately started receiving a large number of HTTP requests that sum about 200,000 devices on a 24 hour period.

The infections came from all over the world, but mainly from India (about 50%) as shown in this chart:

8anubisblog1.png

The bots that connected to our sinkhole were sending in cleartext some interesting information. The following is an example of the contents of one of these requests:

Payload (HTTP POST data example):

8anubisblog2.png

We then decided to take a quick look at one of the APK’s that were producing this traffic. 

After decompiling the Application, we found the function responsible for sending the data. Part of this function is shown in the following image:

8anubisblog3.png

Looking further at the decompiled code, we found several other suspicious pieces of code that matched the public reports (see references) on the GhostPush malware family:

The application checks if the following files exist, and it creates them if they don’t:

8anubisblog6.png

The application drops an ELF file on the file system:

8anubisblog4.png

During our non exhaustive analysis of the malware sample we were able to observe indicators of the following malicious activities:

  • Drops and executes an ELF file;
  • Downloads and installs unsolicited APKs;
  • Displays adds to the user;
  • Steals sensitive data (e.g. IMEI, IMSI);
  • Checks for root permissions;
  • Changes files in the /system directory;

References:

The following links have further analysis of the malware family:

http://www.cmcm.com/blog/en/security-technology/malwares/2015-09-23/802.html

http://blog.trendmicro.com/trendlabs-security-intelligence/new-ghost-push-variants-sport-guard-code-malware-creator-published-over-600-bad-android-apps/

Samples:

8anubisblog5.png

 

 

Suggested Posts

Fraudulent Android Advertising SDK Installed In Over 15 Million Devices

Every day, BitSight monitors the global threat landscape in a constant effort to identify software that may be placing users and organizations at risk. The presence of malware — or simply potentially unwanted applications — in an...

READ MORE »

Break Out Of The Tinynuke Malware

New Tinynuke variant with a DGA in the wild

 

Summary

Tinynuke, or Nukebot malware, is a trojan able to perform man in the browser attacks against modern web browsers and equipped with the most common features needed by a bank trojan (e.g....

READ MORE »

The Value of Sinkholing: It’s In the Numbers

In 2014, BitSight acquired AnubisNetworks, a real-time data threat provider based in Portugal. The integration of AnubisNetworks extends BitSight’s position as the leading provider of cybersecurity ratings for organizations around the...

READ MORE »

Subscribe to get security news and updates in your inbox.