<img height="1" width="1" style="display:none" src="https://www.facebook.com/tr?id=1175921925807459&amp;ev=PageView&amp;noscript=1">
Anubis BitSight Labs

GhostPush Android Botnet

Sofia Luis | April 21, 2016

GhostPush is an Android malware that was first discovered in September 2015. Once installed on a user’s device, it will display unsolicited advertising, and install unwanted applications on the user’s device. This malware is also known for rooting the user’s device and making itself very hard to uninstall.

Recently, AnubisNetworks was able to sinkhole one domain that is used by one variant of this malware family. Once the domain was configured to point to our platform, we immediately started receiving a large number of HTTP requests that sum about 200,000 devices on a 24 hour period.

The infections came from all over the world, but mainly from India (about 50%) as shown in this chart:

8anubisblog1.png

The bots that connected to our sinkhole were sending in cleartext some interesting information. The following is an example of the contents of one of these requests:

Payload (HTTP POST data example):

8anubisblog2.png

We then decided to take a quick look at one of the APK’s that were producing this traffic. 

After decompiling the Application, we found the function responsible for sending the data. Part of this function is shown in the following image:

8anubisblog3.png

Looking further at the decompiled code, we found several other suspicious pieces of code that matched the public reports (see references) on the GhostPush malware family:

The application checks if the following files exist, and it creates them if they don’t:

8anubisblog6.png

The application drops an ELF file on the file system:

8anubisblog4.png

During our non exhaustive analysis of the malware sample we were able to observe indicators of the following malicious activities:

  • Drops and executes an ELF file;
  • Downloads and installs unsolicited APKs;
  • Displays adds to the user;
  • Steals sensitive data (e.g. IMEI, IMSI);
  • Checks for root permissions;
  • Changes files in the /system directory;

References:

The following links have further analysis of the malware family:

http://www.cmcm.com/blog/en/security-technology/malwares/2015-09-23/802.html

http://blog.trendmicro.com/trendlabs-security-intelligence/new-ghost-push-variants-sport-guard-code-malware-creator-published-over-600-bad-android-apps/

Samples:

8anubisblog5.png

 

 

Suggested Posts

Third-Party Insight into Triada & Related Families

A few weeks ago Google confirmed that there was malware pre-installed on a number of Android devices due to a supply-chain attack. The latest installment was discovered by security researchers from Dr.Web who have been investigating this...

READ MORE »

Data Insights on the BlueKeep Vulnerability

On May 14th, Microsoft issued a warning about the BlueKeep vulnerability (CVE-2019-0708) affecting Remote Desktop Services Protocol (RDP), a component common in most versions of Microsoft Windows that allows remote access to its graphical...

READ MORE »

Fraudulent Android Advertising SDK Installed In Over 15 Million Devices

Every day, BitSight monitors the global threat landscape in a constant effort to identify software that may be placing users and organizations at risk. The presence of malware — or simply potentially unwanted applications — in an...

READ MORE »

Subscribe to get security news and updates in your inbox.