Data443 & Cyren
Products
- - - Products
    - For OEMs
    - Malware Detection
    - Malware Analysis
    - URL Categorization
    - Email Security
    - Threat Intelligence
    - For Enterprises
    - Malware Analysis
    - Inbox Security for Office 365
    - Threat Intelligence
  - - In the News
      
      Online Businesses Become a Phisher’s Playground
      Not nearly enough businesses have deployed sufficient security measures against phishing attacks through website builders and CMS platforms.Read Article on DarkReading >
      
      Go to Newsroom >
Solutions
- - - Expert Support
      
      Cyren’s dedicated security analysts have the expertise to deeply investigate sophisticated threats – their embedded documents and messy code.
      
      And from their vantage point across companies, geographies, and industries, analysts can track emerging attack vectors and prevent breaches.
      
      “For any false positive or user reported items, we do not need to be involved. Cyren’s dedicated team is on top of all these items.”
      
      via Gartner Peer Insights
Resources
- - - Recent Posts
      - Analyzing behavior to protect against BEC attacks December 22, 2022
      - Using NLP techniques to protect against BEC attacks December 8, 2022
      - Phishing with QR codes December 1, 2022
Company
- - - Company
    - About Cyren
    - Careers
    - Management
    - In the News
    - Contact Us
  - - In the News
      
      Online Businesses Become a Phisher’s Playground
      Not nearly enough businesses have deployed sufficient security measures against phishing attacks through website builders and CMS platforms.Read Article on DarkReading >
      
      Go to Newsroom >
BOOK A DEMO

Select Page

Cyren Security Blog

The Cyren Security Blog is where Cyren engineers and thought leaders provide insights, research and analysis on a range of current cybersecurity topics.

Hidden Malware and the Ghosts of Mobile Technology

Android Malware “GhostPush”

Already discovered packaged into 39 different Android apps, “GhostPush” (sometimes also called “Rootnik”) malware turns an infected device into a platform for the installation of adware, unwanted homescreen links, and further malware. Victims have found the malware to be deeply entrenched and difficult to remove.

Hidden Malware and Ghosts of Mobile Technology

Malicious Code via Popular Flashlight App

The malicious code is initially installed when the Android user downloads an infected version of a popular application, such as a flashlight app or a popular game from a 3rd party app store.

Ghost Push Malware - Flash Light

While the infected app is functional, it also gathers information about the host device and sends it to a command and control (C&C) server. The server then replies by sending an Android Application Package (.apk) file tailored to root the specific device type. After rooting the device, the malware replaces and modifies system files and installs a malicious service called cameraupdate.apk into the root system folder (“system/priv-app”). Installation files present in the “priv-app” directory are run every time the device starts. In this way, the malware can reinstall itself if removed, ultimately making it very hard to uninstall.

A Service Called “MonkeyTest”

Cameraupdate.apk then installs a service called “MonkeyTest” (other names, such as TimeService, might also be used). MonkeyTest is able to install unknown applications (primarily adware-related) without the user’s knowledge, turn off WIFI, and use the mobile data to download other malicious applications, potentially costing the victim excessive amounts in data charges. The malware also drains the battery and slows the device. MonkeyTest gathers device information, such as the International Mobile Station Equipment Identity (IMEI), International Mobile Subscriber Identity (IMSI), and app packages installed.

Ghost Push Malware - MonkeyTest

Malware Originates from Non-GooglePlay Store Sources

Based on the code and app signatures, CYREN believes the source of the malware to be China. GhostPush is detected by CYREN as AndroidOS/Rootnik.A.gen!Eldorado. As the malware originates from non-GooglePlay store sources, we once again caution users about downloading apps that require enabling the “Unknown Sources” check box.

This infographic summarizes the whole GhostPush procedure:

Ghost Push Malware - Overview

Further information on malware detection can be found in CYREN’s Q3 Cyber Threat Report.

Dec 1, 2015 | Security Research & Analysis

Categories

You might also like

Analyzing behavior to protect against BEC attacks

Business Email Compromise

Understanding “normal” behaviors in email exchanges are key to combating advanced phishing and BEC attacks by John Stevenson Detecting Business Email Compromise (BEC) In the final part of our series of blogs on Business Email Compromise (BEC), it’s time to look at how...

Using NLP techniques to protect against BEC attacks

Business Email Compromise, Office 365, Phishing

How Natural Language Programming help combat phishing and BEC attacks by John Stevenson Business Email Compromise (BEC) Business Email Compromise (BEC) covers a range of email attacks that typically share a common core attribute. There is no obvious executable...

Phishing with QR codes

Phishing, Security Research & Analysis

Don’t Scan or be Scammed By Maharlito Aquino, Kervin Alintanahin and Dexter To In 1994, a type of the matrix barcode known as the Quick Response code, now widely known as QR code, was invented by Masahiro Hara from a Japanese company Denso Wave. The purpose of the...