A new Android malware strain named GhostSpy has been discovered, allowing attackers to take full control of infected smartphones and tablets. The malware uses advanced techniques to avoid detection and maintain long-term access to user data.
Identified by cybersecurity researchers at Cyfirma, GhostSpy is a web-based Remote Access Trojan (RAT) that spreads through fake app updates or disguised system utilities. Once installed, it silently gains elevated permissions and installs a secondary payload to begin surveillance.
Advanced Control and Surveillance
GhostSpy gives hackers full control of a device. It can:
- Log keystrokes
- Capture screens, audio, and video
- Access SMS messages and call logs
- Track GPS location
- Execute remote commands
More alarmingly, it bypasses protections in banking apps by reconstructing their user interface, enabling it to steal sensitive financial information.
International Threat Infrastructure
Researchers found that the malware’s command-and-control (C2) servers are mainly hosted in Brazil. These servers support multiple languages, including Portuguese, English, and Spanish—pointing to a broad, international campaign.
The primary C2 server is located at stealth.gstpainel.fun, with additional endpoints on ports 3000 and 4200.
Stealthy Infection Strategy
GhostSpy uses a multi-step infection process. The first step is a dropper app that includes a method called updateApp(). This method checks for the permission to install unknown apps. If not granted, it redirects the user to the Android settings screen to enable the permission.
Once allowed, the dropper extracts a file named update.apk and installs it using Android’s Intent system. This triggers the malware’s main payload, com.support.litework.
Automated Permission Handling
To operate without user awareness, GhostSpy automates the permission-granting process. One method, AllowPrims14_normal, simulates screen taps across common button areas. It adjusts tap positions and delays to mimic human behavior, reducing the risk of detection.
Another method, getAutomaticallyPermission, navigates the screen using AccessibilityNodeInfo to find buttons with labels like “Allow,” “While using the app,” or “Permitir.” It then automatically clicks these buttons to gain access.
This system supports multiple languages, showing the malware’s readiness to attack users globally across different Android versions and regional settings.
Conclusion
GhostSpy represents a serious evolution in mobile malware. Its combination of traditional RAT features with modern Android exploits makes it especially dangerous for both personal privacy and financial security. Experts warn users to avoid sideloading apps and to regularly check permission settings for suspicious activity.
