Ghost Push

Last updated

Ghost Push is a family of malware that infects the Android OS by automatically gaining root access, downloading malicious and unwanted software. [1] [2] The malware appears to have been discovered in September 2015 by the security research lab at Cheetah Mobile, who subsequently developed diagnostic software to determine whether a device has been compromised. [3] As of September 2015, twenty variants were in circulation. [4] Latter day versions employed routines which made them harder to detect and remove. [1]

The malware hogs all the system resources, making the phone slow, draining the battery and consuming cellular data. [3] Advertisements continually appear either as full or partial screen ads or in the status bar. The applications installed by the malware appear to be difficult to remove, impervious to anti-virus software and even surviving a factory reset of the device. [2]

Infection typically comes via downloading applications from third-party app stores, [4] where at least thirty-nine applications have been identified as carriers. [3] At its peak, the Ghost Push virus infected more than 600,000 devices daily, [3] with 50% of infections occurring from India, as well as from Indonesia and the Philippines, ranking second and third.

The malware was discovered in September 2015 by Cheetah Mobile's security research lab. [2] [3] [5] [6] [7]

Related Research Articles

Adware, often called advertising-supported software by its developers, is software that generates revenue for its developer by automatically generating online advertisements in the user interface of the software or on a screen presented to the user during the installation process. The software may generate two types of revenue: one is for the display of the advertisement and another on a "pay-per-click" basis, if the user clicks on the advertisement. Some advertisements also act as spyware, collecting and reporting data about the user, to be sold or used for targeted advertising or user profiling. The software may implement advertisements in a variety of ways, including a static box display, a banner display, a full screen, a video, a pop-up ad or in some other form. All forms of advertising carry health, ethical, privacy and security risks for users.

Malware is any software intentionally designed to cause disruption to a computer, server, client, or computer network, leak private information, gain unauthorized access to information or systems, deprive access to information, or which unknowingly interferes with the user's computer security and privacy. Researchers tend to classify malware into one or more sub-types.

A dropper is a Trojan horse that has been designed to install malware onto a computer. The malware within the dropper can be packaged to evade detection by antivirus software. Alternatively, the dropper may download malware to the target computer once activated.

In computer security, a sandbox is a security mechanism for separating running programs, usually in an effort to mitigate system failures and/or software vulnerabilities from spreading. The sandbox metaphor derives from the concept of a child's sandbox—a play area where kids can build, destroy, and experiment without causing any real-world damage. It is often used to execute untested or untrusted programs or code, possibly from unverified or untrusted third parties, suppliers, users or websites, without risking harm to the host machine or operating system. A sandbox typically provides a tightly controlled set of resources for guest programs to run in, such as storage and memory scratch space. Network access, the ability to inspect the host system, or read from input devices are usually disallowed or heavily restricted.

Mobile malware is malicious software that targets mobile phones or wireless-enabled Personal digital assistants (PDA), by causing the collapse of the system and loss or leakage of confidential information. As wireless phones and PDA networks have become more and more common and have grown in complexity, it has become increasingly difficult to ensure their safety and security against electronic attacks in the form of viruses or other malware.

<span class="mw-page-title-main">Malwarebytes</span> Internet security company

Malwarebytes Inc. is an American Internet security company that specializes in protecting home computers, smartphones, and companies from malware and other threats. It has offices in Santa Clara, California; Clearwater, Florida; Tallinn, Estonia; Bastia Umbra, Italy; and Cork, Ireland.

Pre-installed software is software already installed and licensed on a computer or smartphone bought from an original equipment manufacturer (OEM). The operating system is usually factory-installed, but because it is a general requirement, this term is used for additional software apart from the bare necessary amount, usually from other sources.

<span class="mw-page-title-main">Malvertising</span> Use of online advertisement or advertising to spread malware

Malvertising is the use of online advertising to spread malware. It typically involves injecting malicious or malware-laden advertisements into legitimate online advertising networks and webpages. Because advertising content can be inserted into high-profile and reputable websites, malvertising provides malefactors an opportunity to push their attacks to web users who might not otherwise see the ads, due to firewalls, more safety precautions, or the like. Malvertising is "attractive to attackers because they 'can be easily spread across a large number of legitimate websites without directly compromising those websites'."

Mobile security, or mobile device security, is the protection of smartphones, tablets, and laptops from threats associated with wireless computing. It has become increasingly important in mobile computing. The security of personal and business information now stored on smartphones is of particular concern.

<span class="mw-page-title-main">Android Debug Bridge</span> Tool for debugging Android-based devices

The Android Debug Bridge is a programming tool used for the debugging of Android-based devices. The daemon on the Android device connects with the server on the host PC over USB or TCP, which connects to the client that is used by the end-user over TCP. Made available as open-source software under the Apache License by Google since 2007, its features include a shell and the possibility to make backups. The adb software is available for Windows, Linux and macOS. It has been misused by botnets and other malware, for which mitigations were developed such as RSA authentication and device whitelisting.

A mobile application or app is a computer program or software application designed to run on a mobile device such as a phone, tablet, or watch. Mobile applications often stand in contrast to desktop applications which are designed to run on desktop computers, and web applications which run in mobile web browsers rather than directly on the mobile device.

<span class="mw-page-title-main">Google Play</span> Digital distribution service by Google

Google Play, also known as the Google Play Store or Play Store and formerly Android Market, is a digital distribution service operated and developed by Google. It serves as the official app store for certified devices running on the Android operating system and its derivatives, as well as ChromeOS, allowing users to browse and download applications developed with the Android software development kit and published through Google. Google Play has also served as a digital media store, offering games, music, books, movies, and television programs. Content that has been purchased on Google Play Movies & TV and Google Play Books can be accessed on a web browser and through the Android and iOS apps.

<span class="mw-page-title-main">F-Droid</span> Repository for free and open source Android apps

F-Droid is an open-source app store and software repository for Android, serving a similar function to the Google Play store. The main repository, hosted by the project, contains only free and open source apps. Applications can be browsed, downloaded and installed from the F-Droid website or client app without the need to register for an account. "Anti-features" such as advertising, user tracking, or dependence on non-free software are flagged in app descriptions.

WireLurker is a family of malware targeting both macOS and iOS systems. The malware was designed to target users in China that use Apple mobile and desktop devices. The malware was suspected of infecting thousands of Chinese mobile devices. The security firm Palo Alto Networks is credited with uncovering the malware.

A potentially unwanted program (PUP) or potentially unwanted application (PUA) is software that a user may perceive as unwanted or unnecessary. It is used as a subjective tagging criterion by security and parental control products. Such software may use an implementation that can compromise privacy or weaken the computer's security. Companies often bundle a wanted program download with a wrapper application and may offer to install an unwanted application, and in some cases without providing a clear opt-out method. Antivirus companies define the software bundled as potentially unwanted programs which can include software that displays intrusive advertising (adware), or tracks the user's Internet usage to sell information to advertisers (spyware), injects its own advertising into web pages that a user looks at, or uses premium SMS services to rack up charges for the user. A growing number of open-source software projects have expressed dismay at third-party websites wrapping their downloads with unwanted bundles, without the project's knowledge or consent. Nearly every third-party free download site bundles their downloads with potentially unwanted software. The practice is widely considered unethical because it violates the security interests of users without their informed consent. Some unwanted software bundles install a root certificate on a user's device, which allows hackers to intercept private data such as banking details, without a browser giving security warnings. The United States Department of Homeland Security has advised removing an insecure root certificate, because they make computers vulnerable to serious cyberattacks. Software developers and security experts recommend that people always download the latest version from the official project website, or a trusted package manager or app store.

XcodeGhost are modified versions of Apple's Xcode development environment that are considered malware. The software first gained widespread attention in September 2015, when a number of apps originating from China harbored the malicious code. It was thought to be the "first large-scale attack on Apple's App Store", according to the BBC. The problems were first identified by researchers at Alibaba, a leading e-commerce firm in China. Over 4000 apps are infected, according to FireEye, far more than the 25 initially acknowledged by Apple, including apps from authors outside China.

Brain Test was a piece of malware masquerading as an Android app that tested the users IQ. Brain Test was discovered by security firm Check Point and was available in the Google Play app store until 15 September 2015. Check Point described Brain Test as "A new level of sophistication in malware".

Shedun is a family of malware software targeting the Android operating system first identified in late 2015 by mobile security company Lookout, affecting roughly 20,000 popular Android applications. Lookout claimed the HummingBad malware was also a part of the Shedun family, however, these claims were refuted.

HummingBad is Android malware, discovered by Check Point in February 2016.

Xafecopy Trojan is a malware software targeting the Android operating system, first identified in September 2017 by cybersecurity and antivirus provider Kaspersky Lab. According to Kaspersky Lab, Xafecopy infected at least 4,800 users within a month in approximately 47 countries. Users in India were its primary victims, followed by users from Russia, Turkey, and Mexico.

References

  1. 1 2 Yang, Yang; Pan, Jordan (30 September 2015). "New "Ghost Push" Variants Sport Guard Code; Malware Creator Published Over 600 Bad Android Apps". Security Intelligence Blog (Blog posting). Trend Micro. Retrieved 18 May 2019.
  2. 1 2 3 "'Ghost Push' Malware Infects 600K Android Users Daily". tripwire.com. 22 September 2015. Retrieved 2016-01-09.
  3. 1 2 3 4 5 Yeung, Ken (18 September 2015). "Cheetah Mobile: 'Ghost Push' Android virus infects 600k+ users a day with unwanted apps" (Blog or News (unclear)). VentureBeat. Retrieved 18 May 2019.
  4. 1 2 Neal, Dave (1 October 2015). "Ghost Push malware is putting the willies up Android users - TheINQUIRER". The Inquirer. London: Incisive Business Media. Archived from the original on October 2, 2015. Retrieved 18 May 2019.{{cite web}}: CS1 maint: unfit URL (link)
  5. "How to avoid the new Android "Ghost Push" virus | One Page | Komando.com". komando.com. Archived from the original on 2015-09-23. Retrieved 2016-01-09.
  6. "Ghost Push malware can root devices and install unwanted apps - here is the fix". androidauthority.com. 13 October 2015. Retrieved 2016-01-09.
  7. "'Ghost Push': An Un-Installable Android Virus Infecting 600,000+ Users Per Day - The world's leading mobile tools provider". cmcm.com. Archived from the original on 2016-01-19. Retrieved 2016-01-09.
This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.