{
	"id": "6440e71b-d879-408f-8c11-6b2b2cf57113",
	"created_at": "2026-04-06T00:14:43.156936Z",
	"updated_at": "2026-04-10T13:12:24.344656Z",
	"deleted_at": null,
	"sha1_hash": "98c060002fb640a9c948243daf477e708d4dff2b",
	"title": "Android Backdoor GhostCtrl Records Your Audio, Video",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 82727,
	"plain_text": "Android Backdoor GhostCtrl Records Your Audio, Video\r\nPublished: 2017-07-17 · Archived: 2026-04-02 10:45:02 UTC\r\nUpdated as of August 6, 2017, 7:45 PM PDT to clarify GhostCtrl's attack vectors.\r\nThe information-stealing RETADUP worm that affected Israeli hospitals is actually just part of an attack that\r\nturned out to be bigger than we first thought—at least in terms of impact. It was accompanied by an even more\r\ndangerous threat: an Android malware that can take over the device.\r\nDetected by Trend Micro as ANDROIDOS_GHOSTCTRL.OPS / ANDROIDOS_GHOSTCTRL.OPSA, we’ve\r\nnamed this Android backdoor GhostCtrl as it can stealthily control many of the infected device’s functionalities.\r\nGhostCtrl was hosted in RETADUP's C\u0026C infrastructure, and the samples we analyzed masqueraded as a\r\nlegitimate or popular app that uses the names App, MMS, whatsapp, and even Pokemon GO. Socially engineered\r\nphishing emails were also attack vectors; they had malicious URLs that led would-be victims to download these\r\napps.\r\nThere are three versions of GhostCtrl. The first stole information and controlled some of the device’s\r\nfunctionalities without obfuscation, while the second added more device features to hijack. The third iteration\r\ncombines the best of the earlier versions’ features—and then some. Based on the techniques each employed, we\r\ncan only expect it to further evolve.\r\nGhostCtrl is literally a ghost of itself\r\nGhostCtrl is also actually a variant (or at least based on) of the commercially sold, multiplatform OmniRAT that\r\nmade headlinesopen on a new tab in November 2015. It touts that it can remotely take control of Windows, Linux,\r\nand Mac systems at the touch of an Android device’s button—and vice versa. A lifetime license for an OmniRAT\r\npackage costs between US $25 and $75. Predictably OmniRAT cracking tutorials abound in various underground\r\nforums, and some its members even provide patchers for it.\r\nThere’s actually a red flag that shows how the malicious APK is an OmniRAT spinoff. Given that it’s a RAT as a\r\nservice, this can be modified (or removed) during compilation.\r\nintel\r\nFigure 1: Snapshot of GhostCtrl version 3’s resources.arsc file indicating it’s an OmniRAT variant (highlighted)\r\nGhostCtrl is hauntingly persistent\r\nWhen the app is launched, it base64-decodes a string from the resource file and writes it down, which is actually\r\nthe malicious Android Application Package (APK).\r\nThe malicious APK, after dynamically clicked by a wrapper APK, will ask the user to install it. Avoiding it is very\r\ntricky: even if the user cancels the “ask for install page” prompt, the message will still pop up immediately. The\r\nhttps://blog.trendmicro.com/trendlabs-security-intelligence/android-backdoor-ghostctrl-can-silently-record-your-audio-video-and-more/\r\nPage 1 of 5\n\nmalicious APK doesn’t have an icon. Once installed, a wrapper APK will launch a service that would let the main,\r\nmalicious APK run in the background:\r\nintel\r\nFigure 2: How the wrapper APK leads to the main APK\r\nThe main APK has backdoor functions usually named com.android.engine to mislead the user into thinking it’s a\r\nlegitimate system application. The malicious APK will then connect to the C\u0026C server to retrieve commands via\r\nthe socket (an endpoint for communication between machines), new Socket(\"hef--klife[.]ddns.net\", 3176).\r\nGhostCtrl can possess the infected device to do its bidding\r\nThe commands from the C\u0026C server are encrypted and locally decrypted by the APK upon receipt. Interestingly,\r\nwe also found that the backdoor connects to a domain rather than directly connecting to the C\u0026C server’s IP\r\naddress. This can be an attempt to obscure their traffic. We also found several Dynamic Name Servers (DNS),\r\nwhich at some point led to the same C\u0026C IP address:\r\nhef--klife[.]ddns[.]net\r\nf--klife[.]ddns[.]net\r\nphp[.]no-ip[.]biz\r\nayalove[.]no-ip[.]biz\r\nA notable command contains action code and Object DATA, which enables attackers to specify the target and\r\ncontent, making this a very flexible malware for cybercriminals. This is the command that allows attackers to\r\nmanipulate the device’s functionalities without the owner’s consent or knowledge.\r\nHere’s a list of some of the action codes and what each does to the device:\r\nACTION CODE =10, 11: Control the Wi-Fi state\r\nACTION CODE= 34: Monitor the phone sensors’ data in real time\r\nACTION CODE= 37: Set phone’s UiMode, like night mode/car mode\r\nACTION CODE= 41: Control the vibrate function, including the pattern and when it will vibrate\r\nACTION CODE= 46: Download pictures as wallpaper\r\nACTION CODE= 48: List the file information in the current directory and upload it to the C\u0026C server\r\nACTION CODE= 49: Delete a file in the indicated directory\r\nACTION CODE= 50: Rename a file in the indicated directory\r\nACTION CODE= 51: Upload a desired file to the C\u0026C server\r\nACTION CODE= 52: Create an indicated directory\r\nACTION CODE= 60: Use the text to speech feature (translate text to voice/audio)\r\nACTION CODE= 62: Send SMS/MMS to a number specified by the attacker; the content can also be\r\ncustomized\r\nACTION CODE= 68: Delete browser history\r\nACTION CODE= 70: Delete SMS\r\nACTION CODE= 74: Download file\r\nACTION CODE= 75: Call a phone number indicated by the attacker\r\nhttps://blog.trendmicro.com/trendlabs-security-intelligence/android-backdoor-ghostctrl-can-silently-record-your-audio-video-and-more/\r\nPage 2 of 5\n\nACTION CODE= 77: Open activity view-related apps; the Uniform Resource Identifier (URI) can also be\r\nspecified by the attacker (open browser, map, dial view, etc.)\r\nACTION CODE= 78: Control the system infrared transmitter\r\nACTION CODE= 79: Run a shell command specified by the attacker and upload the output result\r\nAnother unique C\u0026C command is an integer-type command, which is responsible for stealing the device’s data.\r\nDifferent kinds of sensitive—and to cybercriminals, valuable—information will be collected and uploaded,\r\nincluding call logs, SMS records, contacts, phone numbers, SIM serial number, location, and browser bookmarks.\r\nThe data GhostCtrl steals is extensive, compared to other Android info-stealers. Besides the aforementioned\r\ninformation types, GhostCtrl can also pilfer information like Android OS version, username, Wi-Fi, battery,\r\nBluetooth, and audio states, UiMode, sensor, data from camera, browser, and searches, service processes, activity\r\ninformation, and wallpaper.\r\nIt can also intercept text messages from phone numbers specified by the attacker. Its most daunting capability is\r\nhow it can surreptitiously record voice or audio, then upload it to the C\u0026C server at a certain time. All the stolen\r\ncontent will be encrypted before they’re uploaded to the C\u0026C server.\r\nintel\r\nFigure 3: Code snapshot showing how some information will be deleted after upload\r\nintel\r\nFigure 4: Most of the related function codes for stealing information are in the “transfer” package.\r\nThe other C\u0026C commands are self-defined, such as “account”, “audioManager”, and “clipboard”. These\r\ncommands will trigger malicious routines. It’s worth noting that these aren’t commonly seen in Android RATs:\r\nClearing/resetting the password of an account specified by the attacker\r\nGetting the phone to play different sound effects\r\nSpecify the content in the Clipboard\r\nCustomize the notification and shortcut link, including the style and content\r\nControl the Bluetooth to search and connect to another device\r\nSet the accessibility to TRUE and terminate an ongoing phone call\r\nHow do GhostCtrl’s versions stack up to each other?\r\nGhostCtrl’s first version has a framework that enables it to gain admin-level privilege. While it had no function\r\ncodes at the time, the second version did. The features to be hijacked also incrementally increased as the malware\r\nevolved into its second and third iterations.\r\nintel\r\nFigure 5: Framework of GhostCtrl’s first version for gaining admin-level privilege\r\nintel\r\nhttps://blog.trendmicro.com/trendlabs-security-intelligence/android-backdoor-ghostctrl-can-silently-record-your-audio-video-and-more/\r\nPage 3 of 5\n\nFigure 6: Comparison of backdoor function of the first (left) and second (right) versions\r\nintel\r\nFigure 7: Code snapshot of GhostCtrl’s second version applying device admin privileges\r\nGhostCtrl’s second version can also be a mobile ransomware. It can lock the device’s screen and reset its\r\npassword, and also root the infected device. It can also hijack the camera, create a scheduled task of taking\r\npictures or recording video, then surreptitiously upload them to the C\u0026C server as mp4 files.\r\nintel\r\nFigure 8: Code snapshot showing GhostCtrl’s ransomware-like capability\r\nintelFigure 9: Code snapshot showing how GhostCtrl roots the infected device\r\nThe third version of GhostCtrl incorporates obfuscation techniques to hide its malicious routines, as shown below:\r\nintelFigure 10: The attack chain of GhostCtrl’s third version\r\nIn GhostCtrl’s third version, the wrapper APK first drops a packed APK. The latter unpacks the main APK, a\r\nDalvik executable (DEX), and an Executable and Linkable Format file (ELF). The DEX and ELF files decrypt\r\nstrings and Application Programming Interface (API) calls in the main malicious APK in runtime. This\r\nlongwinded attack chain helps make detection more challenging, exacerbated by the fact that the wrapper APK\r\nhides the packed APK as well as DEX and ELF files in the assets directory.\r\nMitigation\r\nGhostCtrl’s combination with an information-stealing worm, while potent, is also telling. The attackers tried to\r\ncover their bases, and made sure that they didn’t just infect endpoints. And with the ubiquity of mobile devices\r\namong corporate and everyday end users, GhostCtrl’s capabilities can indeed deliver the scares.\r\nBut more than its impact, GhostCtrl underscores the importance of defense in depth. Multilayered security\r\nmechanisms should be deployed so that the risks to data are better managed. Some of the best practices that\r\ninformation security professionals and IT/system administrators can adopt to secure bring-your-own devices\r\n(BYODnews- cybercrime-and-digital-threats) include:\r\nKeep the device updated; Android patching is fragmented and organizations may have custom\r\nrequirements or configurations needed to keep the device updated, so enterprises need to balance\r\nproductivity and security\r\nApply the principle of least privilege—restrict user permissions for BYOD devices to prevent unauthorized\r\naccess and installation of dubious apps\r\nImplement an app reputation system that can detect and block malicious and suspicious apps\r\nDeploy firewalls, intrusion detection, and prevention systems at both the endpoint and mobile device levels\r\nto preempt the malware’s malicious network activities\r\nEnforce and strengthen your mobile device management policies to further reduce potential security risks\r\nEmploy encryption, network segmentation and data segregation to limit further exposure or damage to data\r\nhttps://blog.trendmicro.com/trendlabs-security-intelligence/android-backdoor-ghostctrl-can-silently-record-your-audio-video-and-more/\r\nPage 4 of 5\n\nRegularly back up data in case of device loss, theft, or malicious encryption\r\nTrend Micro Solutions\r\nEnd users and enterprises can also benefit from multilayered mobile security solutions such as Trend Micro™\r\nMobile Security for Android™products which is also available on Google Playopen on a new tab.\r\nTrend Micro™ Mobile Security for Enterpriseproducts provides device, compliance and application management,\r\ndata protection, and configuration provisioning, as well as protects devices from attacks that leverage\r\nvulnerabilities, preventing unauthorized access to apps, as well as detecting and blocking malware and fraudulent\r\nwebsites.\r\nA list of all the hashes (SHA-256) detected as\r\nANDROIDOS_GHOSTCTRL.OPS/ANDROIDOS_GHOSTCTRL.OPSA is in this appendixopen on a new tab. \r\nSource: https://blog.trendmicro.com/trendlabs-security-intelligence/android-backdoor-ghostctrl-can-silently-record-your-audio-video-and-mor\r\ne/\r\nhttps://blog.trendmicro.com/trendlabs-security-intelligence/android-backdoor-ghostctrl-can-silently-record-your-audio-video-and-more/\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://blog.trendmicro.com/trendlabs-security-intelligence/android-backdoor-ghostctrl-can-silently-record-your-audio-video-and-more/"
	],
	"report_names": [
		"android-backdoor-ghostctrl-can-silently-record-your-audio-video-and-more"
	],
	"threat_actors": [],
	"ts_created_at": 1775434483,
	"ts_updated_at": 1775826744,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/98c060002fb640a9c948243daf477e708d4dff2b.pdf",
		"text": "https://archive.orkl.eu/98c060002fb640a9c948243daf477e708d4dff2b.txt",
		"img": "https://archive.orkl.eu/98c060002fb640a9c948243daf477e708d4dff2b.jpg"
	}
}