
Android Backdoor GhostCtrl Can Silently Record Your Audio, Video, and More - bmc7505
https://blog.trendmicro.com/trendlabs-security-intelligence/android-backdoor-ghostctrl-can-silently-record-your-audio-video-and-more/
======
debatem1
Why is this being called a backdoor? Is there any indication that that's what
it is? Except for the headline, the only claim even remotely as serious made
in the article is that it can root some devices, and figuring out which ones
is left as an exercise for the reader...

~~~
fulafel
C&C servers, evasion techniques like masquerading as system package,
bootstrapping the encrypted payload malware with a wrapper APK, ransomware
features, piles of exfiltrated informaiton, intercepting calls and text
messages, ransomware functionality... it's like a crook with a record the size
of a phonebook.

~~~
captainlego
But, unless I somehow missed a big point, doesn't it start with the user
installing a malicious package?

~~~
fulafel
Not knowingly. Sounds like there is a phony app as a phishing style infection
vector:

"The malware masquerades as a legitimate or popular app that uses the names
App, MMS, whatsapp, and even Pokemon GO. When the app is launched, it
base64-decodes a string from the resource file and writes it down, which is
actually the malicious Android Application Package (APK)."

The user has a legitimate expectation that the app sandbox containment
provided by the OS works and nothing bad should happen if s/he tries out the
aforementioned apps.

This type of malware are commonly called backdoors, see eg.
[http://www.virusradar.com/en/glossary/backdoor](http://www.virusradar.com/en/glossary/backdoor)

~~~
dahart
That link says right at the top, "The difference between this type of malware
and a legitimate application with similar functionality is that the
installation is done without the user’s knowledge."

I agree with @debatem1, this is not what "backdoor" commonly means, phishing
does not count as "without the user's knowledge". Phishing is a _trick_ to get
in the front door.

~~~
fulafel
I'm not sure if you're serious, but in this case the user obviously was not
intending to install a "legitimate application with similar functionality".

The user wanted to install a WhatsApp, Pokemon, etc type of application but
was phished or otherwise deceived into completing the app installation
interaction, and was left with no knowledge about the backdoor.

~~~
dahart
Right, you are correct, the user didn't want it. But the user's intent is not
the line that distinguishes between phishing and a back door. Yes I'm serious.
Phishing is a way to get people to do things they don't intend to do. Phishing
involves a user interaction that is masquerading as legitimate, but is in fact
malicious against the user's intent. Both phishing and back door attacks are
always attempting to do something unwanted, and always intending to do it
without the user knowing what's really happening. But the language "without
the user's knowledge" referring to back doors means without _any_ user
interaction.

I'm sure there are gray areas and situations where it's hard to distinguish,
but a backdoor is most commonly defined as not involving any user interaction.
A phishing attack involves user interaction. The phishing attack can be used
to install a backdoor for future attacks, but that's not what happened here.
This phishing attack asked the user for permission to do the things it wants
to do. That's the front door.

It's a guy pretending to be the mailman ringing the doorbell and asking if he
can come in, then stealing stuff while he's there. The backdoor is a thief in
a mask sneaking in a slightly open window at night when nobody's home. The
difference is the fake mailman asked for permission. Even though he was fake.
It wasn't my intent to let a thief in the house, it was my intent to let the
mailman in, but I still got robbed.

Make sense now?

This distinction is important because there are things you can do to avoid
phishing, as there are in this case, but there is nothing you can do to avoid
a real back door, because it happens without any signaling at all, it happens
without your knowledge. So back to @debatem1's point, this should have been
called a sophisticated phishing attack, rather than being called,
inaccurately, a back door attack.

~~~
fulafel
Backdoor is a type of persistent malware. Phishing is a way to infect a device
with malware, be it a backdoor or ransomware or whatever.

There is always some infection vector associated with a backdoor.

~~~
dahart
Yes, right, that's correct. The infection vector itself is precisely what is
known as the "back door". That's the point. Back doors _are_ the vector,
whereas with phishing the user is the vector.

The definition of a backdoor is an attack that bypasses security and doesn't
require user input. The definition of phishing is an attack that requires user
input, by tricking the user into using their own credentials to authorize
access.

Back doors can be opened intentionally or unintentionally by whoever designed
or setup the system, but they allow an attacker to get in without involving
any input or action from a legitimate user of the system.

Phishing is a way to infect a device with malware by tricking the user into
installing the malware. That's exactly what happened here. GhostCtrl is
malware that infects via phishing, because it requires the user to authorize
it, and it does not have an attack vector it can use without the user's
authorization.

It sounds like we're all straightened out and in agreement?

~~~
fulafel
No, the infection vector, eg phishing or browser exploit or trojan or
whatever, is what enables a back door to be installed. The back door is not an
infection vector, it is the payload.

Yes, there is a type of back door that is factory installed as part of the dev
process of an otherwise legitimate product. But in the context of malware, the
backdoor is a payload that enables malicious remote access. Like the glossary
entry I linked explains.

~~~
dahart
Yes it is possible to install a back door, _after_ you've gained access. I'm
fine with calling GhostCtrl a phishing attack that installs a back door. The
big question here is which part of the attack elevates access to user or root
level?

The miscommunication here between us is that you're looking at what GhostCtrl
does _after_ it already gained access. Because the first point of contact, the
initial entry point, is using the security systems as they were designed to be
used, and tricking the user into granting access to the malicious software,
the attack as a whole is a phishing attack. As I understand it, the payload is
not by itself elevating access, it is using access the user granted to do bad
things, not achieving a higher access level.

The payload of an attack of any sort is not commonly understood to be the
"back door", I think you're slightly off the mark there. You're not wrong, but
you're going to have trouble talking to other people if you keep insisting on
this, because the common understanding of a back door is that it's a way of
getting in, by bypassing security. It's normally defined as a way of
initiating an attack, not the malicious result of an already complete attack.

The only way to define a back door as you have is to have another attack in
front of it. If the back door is the payload, then you have to deliver and
execute the payload somehow. In the case of GhostCtrl, that mechanism is
phishing.

~~~
fulafel
If you scroll back, this started with "Why is this being called a backdoor? Is
there any indication that that's what it is?". I linked to a glossary entry I
think reflects the common usage in malware context.

Any payload is not a back door, payloads can be also ransomware, ddos bots,
etc.

~~~
dahart
Okay, I think we're agreeing on the definition. You do agree that this
particular backdoor depends on a successful phishing attack, right?

FWIW, I don't think that glossary entry you linked is very good. It calls a
backdoor an application, but a backdoor is not always an application -- which
I think you already know & mentioned in this thread. A RAT (remote access
tool) is definitely not synonymous with backdoor in the common understanding.
A backdoor can also be an open port, a bad password, or a variety of other
entry methods. Wikipedia's entry on backdoor is better than the one you
linked.
[https://en.m.wikipedia.org/wiki/Backdoor_(computing)](https://en.m.wikipedia.org/wiki/Backdoor_\(computing\))

If a backdoor were always an application, and that was the common definition,
then I think the question above wouldn't have been asked. One problem is that
backdoor sometimes implies a vulnerability exists before any malware is
installed. To call something a backdoor can send the wrong message about what
someone concerned about this should do to mitigate the risks. Knowing it's a
phishing attack is pretty important because it means you can and should be
suspicious of apps asking for credentials and permissions. If you think it's
primarily a back door, you might wrongly assume that you need to update a
security patch, or that there's nothing you can do to reduce your risks.

This is why I believe @debatem1's question is reasonable and agree with it -
to title this a backdoor is technically true, but it seems misleading.

~~~
fulafel
I think this is going around in circles: we already covered the backdoor term
in malware vs product name in contexts, and the payload vs phishing thing. If
you Google for backdoor payloads, you see that it is common usage.

------
SCdF
> The malware masquerades as a legitimate or popular app that uses the names
> App, MMS, whatsapp, and even Pokemon GO.

OK, so the attack vector here is installing dodgy stuff off the Play store? Or
not the play store but from another source, such as an ad?

~~~
ninju
I believe it's only from 'third party' app stores..The official Google Play
store already scans applications for such malicious content.

~~~
on_and_off
Even random apks are analyzed by the same service that is used by the play
store.

It is still more dangerous, but known signatures are detected.

------
tym0
Title is misleading, it makes it sound like the backdoor is in the Android
software while this is just malware.

~~~
Joeri
The point is that android makes it possible. You don't have these things on
iOS because apple doesn't allow them, where google does.

~~~
Ajedi32
Any platform which allows users to install arbitrary software of their own
choosing "allows" this. GNU/Linux for example, also allows this. As do Mac,
Windows, and jailbroken iOS.

~~~
Joeri
This is the choice everyone makes: safety in a walled garden, or freedom
outside of it. For my phone I much prefer the safety trade-off, so I would
never choose android, but for my work laptop I wouldn't want to be locked down
in a similar way.

------
ericfrederich
Cool... can I use it to have a decent app to record a phone call? All other
existing solutions require you to turn on speaker phone.

~~~
ericmo
IDK how NLL's ACR works, but Android API doesn't expose audio output devices
because it could lead to piracy issues, such as recording whatever is playing
on Spotify. I don't think there's a way to bypass that, and if there were it
would probably be banned from Google Play Store.

------
breakingcups
What's so special about this one compared to the other well-known trojans
(like omnirat, the RAT this one is based on)?

~~~
TACIXAT
It literally is Omnirat. From the article:

>GhostCtrl is also actually a variant (or at least based on) of the
commercially sold, multiplatform OmniRAT that made headlines in November 2015.

------
sleepychu
So is the experience:

"Hacked Up Pokemon Go needs thse permissions" (all of them) (deny, allow),
user has been trained that if they deny a permission the app won't work so
they click allow?

~~~
ClassyJacket
I would assume it simply doesn't use the Android 6 permission system, so the
user gets no option to deny.

------
StavrosK
(How) does this bypass the permissions system?

~~~
kbart
It was (still is?) a common practice to grant _all_ permissions when
installing an app from Google Play. Most people don't even look at the
"annoying" popup that lists permissions to be granted and just press "accept"
without ever reading it.

~~~
ClassyJacket
Well it's not like there's any option to deny them. You can only not install
the app, unless the app chooses to build for the Android 6 permission system.

~~~
kbart
_" You can only not install the app"_

That's what I actually do. I refuse to install apps that require broad
permissions not related to their primary purpose. Though I do realize that I
belong to that insignificant minority group of users.

~~~
ClassyJacket
Unfortunately, that would make my phone basically pointless. I wouldn't
install damn near anything.

------
ouid
all I see is dwarf fortress

------
mrkrabo
Observation: I suppose it's some kind of meme in this industry that in this
kind of posts they take screenshots from MS-DOS editors opening the malware.

~~~
grecy
Just like young men sneaking around and wearing black face masks in stories
about "hacking"

~~~
teniutza
You mean this guy [https://www.troyhunt.com/is-this-hooded-cyber-bandit-the-
web...](https://www.troyhunt.com/is-this-hooded-cyber-bandit-the-webs-most-
prolific-hacker) ?

~~~
grecy
I was think worse, like this:

[http://cdn.wccftech.com/wp-content/uploads/2017/03/icloud-
sc...](http://cdn.wccftech.com/wp-content/uploads/2017/03/icloud-scam.jpg)

[http://www.jordantimes.com/sites/default/files/styles/news_i...](http://www.jordantimes.com/sites/default/files/styles/news_inner/public/hacking.jpg?itok=4CuL2dZf)

etc

Usually show men in black clothes trying to climb in windows, etc.

~~~
croon
I'm not sure what's most offensive between the paper mask and the URL using
backslashes.

~~~
grecy
I really like "your.bank"

I wonder how many people would believe that works.

~~~
TeMPOraL
With current new global TLDs? Why not?

~~~
mrkrabo
[https://your.bank](https://your.bank)

------
bullen
Trend micro pipes all your HTTP data through their proxies. Avoid this company
at all costs so that they can become bankrupt.

