Security Experts:

Connect with us

Hi, what are you looking for?


Mobile & Wireless

OmniRAT-Based Android Backdoor Emerges

A newly discovered Android backdoor appears to be based on the OmniRAT remote administration tool (RAT) that targets Android, Windows, Linux and MacOS devices, Trend Micro security researchers warn.

A newly discovered Android backdoor appears to be based on the OmniRAT remote administration tool (RAT) that targets Android, Windows, Linux and MacOS devices, Trend Micro security researchers warn.

Dubbed GhostCtrl, the threat masquerades as a legitimate or popular application and uses the names App, MMS, whatsapp, and even Pokemon GO. When launched, however, the malicious Android Application Package (APK) is decoded and saved on the Android device.

The APK is dynamically clicked by a wrapper and the user is prompted to install it. The prompt, Trend Micro explains, won’t go away even if the user attempts to dismiss the message, thus eventually annoying the user into accepting the installation.

Once the installation has been completed, a service that helps the malicious code run in the background is launched. The backdoor function is usually named, in an attempt to mislead users into believing it is a legitimate system process.

The malware then connects to the command and control (C&C) server to retrieve commands, which the server sends encrypted, but the malicious APK decrypts them upon receipt.

Trend’s security researchers also noticed that the backdoor connects to a domain rather than directly to the C&C server’s IP address, most probably in an attempt to obscure traffic. Several Dynamic Name Servers (DNS) the researchers discovered at some point led to the same C&C IP address: hef–klife[.]ddns[.]net, f–klife[.]ddns[.]net, php[.]no-ip[.]biz, and ayalove[.]no-ip[.]biz.

“A notable command contains action code and Object DATA, which enables attackers to specify the target and content, making this a very flexible malware for cybercriminals. This is the command that allows attackers to manipulate the device’s functionalities without the owner’s consent or knowledge,” Trend Micro says.

The malware can control the Wi-Fi state; monitor the phone sensors’ data in real time; set phone’s UiMode, like night mode/car mode; control the vibrate function; download pictures as wallpaper; list the file information in the current directory and upload it to the C&C; delete/rename a file in the indicated directory; upload a desired file to the C&C; create an indicated directory; use the text to speech feature (translate text to voice/audio); send SMS/MMS to a number; delete browser history or SMS; download a file; call a phone number; open activity view-related apps; control the system infrared transmitter; and run a shell command and upload the output result.

“Another unique C&C command is an integer-type command, which is responsible for stealing the device’s data. Different kinds of sensitive—and to cybercriminals, valuable—information will be collected and uploaded, including call logs, SMS records, contacts, phone numbers, SIM serial number, location, and browser bookmarks,” the researchers explain.

Compared to other Android info-stealers, GhostCtrl can pilfer a great deal of data in addition to the above: Android OS version, username, Wi-Fi, battery, Bluetooth, and audio states, UiMode, sensor, data from camera, browser, and searches, service processes, activity information, and wallpaper.

Furthermore, the malware can intercept text messages from phone numbers specified by the attacker and can record voice or audio and upload the recording to the C&C. All the stolen data is sent to the server encrypted.

The malware also includes a series of commands that aren’t usually seen in Android RATs, such as the option to clear/reset the password of an account, set the phone to play different sound effects, specify the content in the Clipboard, customize the notification and shortcut link, control the Bluetooth to search and connect to another device, or set the accessibility to TRUE and terminate an ongoing phone call.

The first GhostCtrl packed a framework to gain admin-level privilege, but had no function codes. These, however, were included in the subsequent variants, which also added an increasing number of features to be hijacked. The second version could also work as ransomware by locking the device’s screen and resetting the password, and could root the device. The third version, the security researchers say, includes obfuscation techniques to hide its malicious routines.

“GhostCtrl’s combination with an information-stealing worm, while potent, is also telling. The attackers tried to cover their bases, and made sure that they didn’t just infect endpoints. And with the ubiquity of mobile devices among corporate and everyday end users, GhostCtrl’s capabilities can indeed deliver the scares,” Trend Micro said.

Related: Multi-Platform RAT OmniRAT Used to Hijack Devices

Related: SpyDealer Malware Steals Private Data From Popular Android Apps

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content

Mobile & Wireless

Infonetics Research has shared excerpts from its Mobile Device Security Client Software market size and forecasts report, which tracks enterprise and consumer security client...

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.

Mobile & Wireless

The February 2023 security updates for Android patch 40 vulnerabilities, including multiple high-severity escalation of privilege bugs.

Mobile & Wireless

Two vulnerabilities in Samsung’s Galaxy Store that could be exploited to install applications or execute JavaScript code by launching a web page.

Mobile & Wireless

South Dakota Gov. Kristi Noem says her personal cell phone was hacked and linked it to the release of documents by the January 6...


Pig Butchering, also known as Sha Zhu Pan and CryptoRom, is an ugly name for an ugly scam.