A sophisticated new Android malware strain called GhostSpy has emerged as a significant threat to mobile device security, demonstrating advanced capabilities that allow cybercriminals to achieve complete control over infected smartphones and tablets.
This web-based Remote Access Trojan (RAT) employs a multi-stage infection process, beginning with a seemingly innocuous dropper application that silently escalates privileges and deploys a secondary payload designed to establish persistent surveillance and control capabilities.
The malware represents a concerning evolution in mobile threats, leveraging advanced evasion techniques, automated permission handling, and sophisticated anti-uninstall mechanisms to maintain long-term access to victim devices.
GhostSpy’s attack vector typically involves social engineering tactics, presenting itself as a legitimate application update or system utility to trick users into installation.
Once established, the malware exploits Android’s Accessibility Services and Device Administrator APIs to bypass security restrictions and grant itself extensive permissions without user knowledge.
Cyfirma analysts identified this high-risk Android malware variant during ongoing threat monitoring activities, noting its particularly dangerous combination of surveillance capabilities and persistence mechanisms.
The research team’s analysis revealed that GhostSpy can perform comprehensive data theft including keylogging, screen capture, background audio and video recording, SMS and call log extraction, GPS location tracking, and remote command execution.
Perhaps most concerning is the malware’s ability to bypass banking application screenshot protections using a skeleton view reconstruction method that harvests complete UI layouts from supposedly secure applications.
The malware’s operator infrastructure suggests a Brazilian origin, with multiple active command-and-control servers hosted across different locations and supporting multiple languages including Portuguese, English, and Spanish.
.webp)
This international scope indicates GhostSpy is actively maintained and distributed across various regions, with the primary C2 server located at stealth.gstpainel.fun and additional endpoints operating on ports 3000 and 4200.
What makes GhostSpy particularly insidious is its comprehensive approach to device compromise, combining traditional RAT functionality with modern mobile-specific attack techniques.
.webp)
The malware can steal banking credentials for financial fraud, capture screen content even in screenshot-restricted applications, and perform unauthorized financial transactions through Accessibility Service abuse, making it a severe threat to both personal privacy and financial security.
Advanced Infection and Privilege Escalation Mechanism
GhostSpy’s infection mechanism demonstrates remarkable sophistication in its multi-stage deployment strategy.
.webp)
The initial dropper application contains a critical method called updateApp() that serves as the trigger for payload deployment.
This method first checks the device’s canRequestPackageInstalls() permission, which determines whether the application can sideload APK files outside of Google Play Store restrictions.
If this permission is not granted, the malware stealthily redirects users to the MANAGE_UNKNOWN_APP_SOURCES settings page, specifically targeting the current package to request installation rights.
Once the necessary permissions are obtained, the dropper executes copyApkFromAssets("update.apk") to extract a bundled secondary APK payload from its assets folder and proceeds to installApk() for execution.
The installation process uses an Intent with the action android.intent.action.VIEW, targeting a content URI generated via FileProvider, ensuring the install activity launches with necessary URI access permissions.
The secondary payload, identified as “com.support.litework,” demonstrates the malware’s most dangerous capability through its automated permission granting mechanism.
The AllowPrims14_normal method automates screen taps to grant permissions without user interaction by simulating touches across likely button areas.
This sophisticated technique targets the latest Android versions and loops through all required permissions, attempting taps from 45% to 90% of screen height with sleep intervals that mimic human behavior to reduce detection risks.
Complementing this automation, the getAutomaticallyPermission method recursively traverses the UI hierarchy using AccessibilityNodeInfo to locate and interact with permission dialog buttons.
It specifically targets android.widget.Button elements whose text matches common permission prompts in various languages including “Allow,” “While using the app,” and “Permitir,” automatically clicking these buttons using performAction(AccessibilityNodeInfo.ACTION_CLICK).
This multilingual approach demonstrates the malware’s global targeting strategy and sophisticated understanding of Android’s permission model across different device configurations and language settings.
Equip your SOC team with deep threat analysis for faster response -> Get Extra 𝗦𝗮𝗻𝗱𝗯𝗼𝘅 𝗹𝗶𝗰𝗲𝗻𝘀𝗲𝘀 for Free
