OmniRAT-Based Android Backdoor Emerges

A newly discovered Android backdoor appears to be based on the OmniRAT remote administration tool (RAT) that targets Android, Windows, Linux and MacOS devices, Trend Micro security researchers warn.

Dubbed GhostCtrl, the threat masquerades as a legitimate or popular application and uses the names App, MMS, whatsapp, and even Pokemon GO. When launched, however, the malicious Android Application Package (APK) is decoded and saved on the Android device.

The APK is dynamically clicked by a wrapper and the user is prompted to install it. The prompt, Trend Micro explains, won’t go away even if the user attempts to dismiss the message, thus eventually annoying the user into accepting the installation.

Once the installation has been completed, a service that helps the malicious code run in the background is launched. The backdoor function is usually named com.android.engine, in an attempt to mislead users into believing it is a legitimate system process.

The malware then connects to the command and control (C&C) server to retrieve commands, which the server sends encrypted, but the malicious APK decrypts them upon receipt.

Trend’s security researchers also noticed that the backdoor connects to a domain rather than directly to the C&C server’s IP address, most probably in an attempt to obscure traffic. Several Dynamic Name Servers (DNS) the researchers discovered at some point led to the same C&C IP address: hef–klife[.]ddns[.]net, f–klife[.]ddns[.]net, php[.]no-ip[.]biz, and ayalove[.]no-ip[.]biz.

“A notable command contains action code and Object DATA, which enables attackers to specify the target and content, making this a very flexible malware for cybercriminals. This is the command that allows attackers to manipulate the device’s functionalities without the owner’s consent or knowledge,” Trend Micro says.

The malware can control the Wi-Fi state; monitor the phone sensors’ data in real time; set phone’s UiMode, like night mode/car mode; control the vibrate function; download pictures as wallpaper; list the file information in the current directory and upload it to the C&C; delete/rename a file in the indicated directory; upload a desired file to the C&C; create an indicated directory; use the text to speech feature (translate text to voice/audio); send SMS/MMS to a number; delete browser history or SMS; download a file; call a phone number; open activity view-related apps; control the system infrared transmitter; and run a shell command and upload the output result.

“Another unique C&C command is an integer-type command, which is responsible for stealing the device’s data. Different kinds of sensitive—and to cybercriminals, valuable—information will be collected and uploaded, including call logs, SMS records, contacts, phone numbers, SIM serial number, location, and browser bookmarks,” the researchers explain.

Compared to other Android info-stealers, GhostCtrl can pilfer a great deal of data in addition to the above: Android OS version, username, Wi-Fi, battery, Bluetooth, and audio states, UiMode, sensor, data from camera, browser, and searches, service processes, activity information, and wallpaper.

Furthermore, the malware can intercept text messages from phone numbers specified by the attacker and can record voice or audio and upload the recording to the C&C. All the stolen data is sent to the server encrypted.

The malware also includes a series of commands that aren’t usually seen in Android RATs, such as the option to clear/reset the password of an account, set the phone to play different sound effects, specify the content in the Clipboard, customize the notification and shortcut link, control the Bluetooth to search and connect to another device, or set the accessibility to TRUE and terminate an ongoing phone call.

The first GhostCtrl packed a framework to gain admin-level privilege, but had no function codes. These, however, were included in the subsequent variants, which also added an increasing number of features to be hijacked. The second version could also work as ransomware by locking the device’s screen and resetting the password, and could root the device. The third version, the security researchers say, includes obfuscation techniques to hide its malicious routines.

“GhostCtrl’s combination with an information-stealing worm, while potent, is also telling. The attackers tried to cover their bases, and made sure that they didn’t just infect endpoints. And with the ubiquity of mobile devices among corporate and everyday end users, GhostCtrl’s capabilities can indeed deliver the scares,” Trend Micro said.

Related: Multi-Platform RAT OmniRAT Used to Hijack Devices

Related: SpyDealer Malware Steals Private Data From Popular Android Apps