Android Backdoor Hack GhostCtrl can Silently Record Your Audio, Video & More!

There are three versions of GhostCtrl. The first stole information and controlled some of the device’s functionalities without obfuscation, while the second added more device features to hijack. The third iteration combines the best of the earlier versions’ features—and then some. Based on the techniques each employed, we can only expect it to further evolve.

What can it do to your android?

  • Clearing/resetting the password of an account specified by the attacker
  • Getting the phone to play different sound effects
  • Specify the content in the Clipboard
  • Customize the notification and shortcut link, including the style and content
  • Control the Bluetooth to search and connect to another device
  • Set the accessibility to TRUE and terminate an ongoing phone call

The data GhostCtrl steals is extensive, compared to other Android info-stealers. Besides the aforementioned information types, GhostCtrl can also pilfer information like Android OS version, username, Wi-Fi, battery, Bluetooth, and audio states, UiMode, sensor, data from camera, browser, and searches, service processes, activity information, and wallpaper.

It can also intercept text messages from phone numbers specified by the attacker. Its most daunting capability is how it can surreptitiously record voice or audio, then upload it to the C&C server at a certain time. All the stolen content will be encrypted before they’re uploaded to the C&C server.

GhostCtrl’s first version has a framework that enables it to gain admin-level privilege. While it had no function codes at the time, the second version did. The features to be hijacked also incrementally increased as the malware evolved into its second and third iterations.

GhostCtrl’s second version can also be a mobile ransomware. It can lock the device’s screen and reset its password, and also root the infected device. It can also hijack the camera, create a scheduled task of taking pictures or recording video, then surreptitiously upload them to the C&C server as mp4 files.


GhostCtrl’s combination with an information-stealing worm, while potent, is also telling. The attackers tried to cover their bases, and made sure that they didn’t just infect endpoints. And with the ubiquity of mobile devices among corporate and everyday end users, GhostCtrl’s capabilities can indeed deliver the scares.

But more than its impact, GhostCtrl underscores the importance of defense in depth. Multilayered security mechanisms should be deployed so that the risks to data are better managed. Some of the best practices that information security professionals and IT/system administrators can adopt to secure bring-your-own devices (BYOD) include:

  • Keep the device updated; Android patching is fragmented and organizations may have custom requirements or configurations needed to keep the device updated, so enterprises need to balance productivity and security
  • Apply the principle of least privilege—restrict user permissions for BYOD devices to prevent unauthorized access and installation of dubious apps
  • Implement an app reputation system that can detect and block malicious and suspicious apps
  • Deploy firewalls, intrusion detection, and prevention systems at both the endpoint and mobile device levels to preempt the malware’s malicious network activities
  • Enforce and strengthen your mobile device management policies to further reduce potential security risks
  • Employ encryption, network segmentation and data segregation to limit further exposure or damage to data
  • Regularly back up data in case of device loss, theft, or malicious encryption

Source: Trend Micro