Building a slide deck, pitch, or presentation? Here are the big takeaways:

  • A newly discovered form of Android malware called GhostTeam is able to steal Facebook credentials from infected devices.
  • GhostTeam can be dangerous, but it relies on tricking humans into installing it. Protecting Android devices and educating users can mitigate much of the threat.

Security researchers at Trend Micro have discovered a new piece of Android malware present in 53 different apps–one of which was downloaded more than 100,000 times.

They’ve dubbed it GhostTeam, and it’s primarily affecting users in India, Indonesia, and Brazil. That doesn’t mean it couldn’t spread, or hasn’t already–it’s been on the Google Play store since April 2017, which means it could already have evolved into different forms targeting US-based customers.

GhostTeam steals Facebook credentials, though the reason is unknown. Trend Micro speculates it could be building a “zombie social media army” to spread fake news articles and crypto-mining malware. It also pushes full-screen ads to infected devices, likely to generate click revenue.

Like other forms of Android malware, GhostTeam is a capable piece of malware–once it’s installed on a device, that is. There’s no good way for Android malware to proliferate outside of tricking users into installing it, and this one is no different.

Familiar malware tactics

Masquerading as legitimate Google Play store apps, GhostTeam has been found hiding in flashlights, social media video downloaders, QR scanners, and other utility-style apps.

The infected apps don’t even contain the GhostTeam malware themselves–like other recent mobile malware trends, GhostTeam uses a multi-stage attack to hide its payload.

SEE: Incident response policy (Tech Pro Research)

Once the malicious app is downloaded from Google Play, it does something tricky: It checks to see if it’s running in an emulator or Android VM so that its code can’t be inspected by security professionals. Once it knows it’s running on a real device, the app downloads the GhostTeam payload, hiding it as a Google Play Services app. When the user next opens Google Play or Facebook on the infected device they get a popup urging them to install the fake Google Play Services app and then to grant it administrator permissions.

Then GhostTeam waits for the next time Facebook is opened. It loads a fake WebView page and asks for the user to verify their Facebook account. GhostTeam captures the email address and password, sends it to its command and control server, and from there it has access to the account (provided two-factor authentication isn’t enabled).

Staying safe from GhostTeam

Protecting your device, and those you manage, from GhostTeam doesn’t require any new tactics:

  • Be sure that your Android device has a reliable antivirus app installed.
  • Look at reviews of an app before downloading–the comments and ratings might give you reason to be suspicious of an app’s legitimacy.
  • Keep your Android device updated with the latest OS and security patches.
  • If you suspect a GhostTeam infection, it can be partially mitigated by disabling device administrator permissions in Settings.
  • Enable two-factor authentication for Facebook and other accounts that have it available as an option.

Trend Micro said that Google has been notified, affected apps have been removed, and Google Play Protect has been updated to recognize GhostTeam.

Also see