BitSight

GhostPush Android Botnet

Sofia Luis | April 21, 2016

GhostPush is an Android malware that was first discovered in September 2015. Once installed on a user’s device, it will display unsolicited advertising, and install unwanted applications on the user’s device. This malware is also known for rooting the user’s device and making itself very hard to uninstall.

Recently, AnubisNetworks was able to sinkhole one domain that is used by one variant of this malware family. Once the domain was configured to point to our platform, we immediately started receiving a large number of HTTP requests that sum about 200,000 devices on a 24 hour period.

The infections came from all over the world, but mainly from India (about 50%) as shown in this chart:

8anubisblog1.png

The bots that connected to our sinkhole were sending in cleartext some interesting information. The following is an example of the contents of one of these requests:

Payload (HTTP POST data example):

8anubisblog2.png

We then decided to take a quick look at one of the APK’s that were producing this traffic. 

After decompiling the Application, we found the function responsible for sending the data. Part of this function is shown in the following image:

8anubisblog3.png

Looking further at the decompiled code, we found several other suspicious pieces of code that matched the public reports (see references) on the GhostPush malware family:

The application checks if the following files exist, and it creates them if they don’t:

8anubisblog6.png

The application drops an ELF file on the file system:

8anubisblog4.png

During our non exhaustive analysis of the malware sample we were able to observe indicators of the following malicious activities:

  • Drops and executes an ELF file;
  • Downloads and installs unsolicited APKs;
  • Displays adds to the user;
  • Steals sensitive data (e.g. IMEI, IMSI);
  • Checks for root permissions;
  • Changes files in the /system directory;

References:

The following links have further analysis of the malware family:

http://www.cmcm.com/blog/en/security-technology/malwares/2015-09-23/802.html

http://blog.trendmicro.com/trendlabs-security-intelligence/new-ghost-push-variants-sport-guard-code-malware-creator-published-over-600-bad-android-apps/

Samples:

8anubisblog5.png

 

 

Suggested Posts

What Companies Using Cloud Services Need To Know About Their Risk Responsibilities

Cloud computing is not new to the cyber world; it’s here to stay. Web services are common in our everyday lives and workplaces, with things like Facebook, Salesforce, JIRA, Adobe, and GSuite all falling into the cloud-based category. But...

READ MORE »

Joint Effort with Microsoft to Disrupt Massive Criminal Botnet Necurs

Since 2017 BitSight has been working together with Microsoft’s Digital Crimes Unit (DCU) to understand the inner workings of the Necurs malware, its botnets and command and control infrastructure in order to take disruptive action against...

READ MORE »

Forecasting and Advanced Analytics: Building a Solid Security Strategy For 2020

2020 is not only the beginning of a new year, but the start of a new decade, and with it comes the dawn of a new era for the digital world. We’re now in the midst of the once far-off, “futuristic” time periods old books and movies used to...

READ MORE »

Subscribe to get security news and updates in your inbox.