The Avast Threat Intelligence Team explains Ghost Push and how you can protect yourself.
Ghost Push is a malware family that exploits vulnerabilities to gain root access to Android devices to then download and review other apps in the background. Using social engineering, users are tricked into downloading Ghost Push from third party app stores or via links sent in text messages. Once installed, Ghost Push tries to gain root access. As the name suggests, Ghost Push acts in a ghostly fashion once it has root access, meaning infected users don’t notice anything – everything happens in the background. Recently, a new variant of the Ghost Push malware, Gooligan, was detected spreading in the wild. The Gooligan variant steals email addresses and authentication tokens stored on the infected devices, gaining access to users’ Google account data, including Gmail and Google Play. More than one million users’ Google Play accounts were affected.
Is Ghost Push really that threatening? Based on our research, the earliest form of Ghost Push could be tracked back to a variant of adware called Xinyinhe, which was discovered in 2014. Xinyinhe was developed by a Chinese company located in Shenzhen that focused on mobile game promotion at the time. In order to install apps without users noticing, Xinyinhe exploited users’ Android devices to gain root access.
(Xinyinhe’s server address)
(Snapshot of Ghost Push exploiting with GingerBreak)
With all the apps available on Google Play, mobile app companies are under pressure to make sure their apps have a high number of installs and positive reviews. Due to this, underground promotion platforms were born one after another. Below is a famous picture of app promotion companies manually activating apps with Android device clusters in China.
Gooligan, a nickname Check Point gave for a variant of Ghost Push, is more complicated than Xinyinhe. After exploiting the device to gain root access, Gooligan will hijack the user’s Google Play account in order to download apps from Google Play – silently – and then rate them. Most Android devices used in China don’t support the Google Play framework, so Chinese users download apps from local Android app stores. Therefore, users in Southeast Asia became the main victims of Gooligan. In some Southeast Asian countries, cheap Android smartphones are very popular, and Google Play is supported in these countries. Sadly, cheap Android devices are usually shipped with older versions of the Android operating system and have no upgrading functionality. As a result, the most widely used Android versions in Southeast Asian countries are between Android versions 4.2 and 4.4. These versions have security issues and vulnerabilities and once they’re infected by Gooligan, Gooligan can easily get root access.
In the last two years, famous root exploit programs were open to public, such as DirtyCow, iovroot, Pingpong root, etc. This makes it much easier for Gooligan to implement more root power to root new devices. So, in addition to users in Southeast Asia, users in Europe and the Americas were also affected, if they are using older versions of the Android operating system.
The hash of Xinyinhe sample described is e6dbf2d24c1450b2ea72604c5705bdf72dd02c92eb2873c52a0a80f97eda745a
Android owners with Avast Mobile Security can now use remote controls to find lost or stolen phones, and even get a picture of the thief in the process.
Mobile malware authors are once again trying to circumvent antivirus detections by using a sandbox.