Called GhostTeam, the malware disguises itself as legitimate utility apps, but it actually harvests Facebook passwords and floods users with full-screen ads.
Building a slide deck, pitch, or presentation? Here are the big takeaways:
- A newly discovered form of Android malware called GhostTeam is able to steal Facebook credentials from infected devices.
- GhostTeam can be dangerous, but it relies on tricking humans into installing it. Protecting Android devices and educating users can mitigate much of the threat.
They've dubbed it GhostTeam, and it's primarily affecting users in India, Indonesia, and Brazil. That doesn't mean it couldn't spread, or hasn't already—it's been on the Google Play store since April 2017, which means it could already have evolved into different forms targeting US-based customers.
GhostTeam steals Facebook credentials, though the reason is unknown. Trend Micro speculates it could be building a "zombie social media army" to spread fake news articles and crypto-mining malware. It also pushes full-screen ads to infected devices, likely to generate click revenue.
Like other forms of Android malware, GhostTeam is a capable piece of malware—once it's installed on a device, that is. There's no good way for Android malware to proliferate outside of tricking users into installing it, and this one is no different.
Familiar malware tactics
Masquerading as legitimate Google Play store apps, GhostTeam has been found hiding in flashlights, social media video downloaders, QR scanners, and other utility-style apps.
The infected apps don't even contain the GhostTeam malware themselves—like other recent mobile malware trends, GhostTeam uses a multi-stage attack to hide its payload.
SEE: Incident response policy (Tech Pro Research)
Once the malicious app is downloaded from Google Play, it does something tricky: It checks to see if it's running in an emulator or Android VM so that its code can't be inspected by security professionals. Once it knows it's running on a real device, the app downloads the GhostTeam payload, hiding it as a Google Play Services app. When the user next opens Google Play or Facebook on the infected device they get a popup urging them to install the fake Google Play Services app and then to grant it administrator permissions.
Then GhostTeam waits for the next time Facebook is opened. It loads a fake WebView page and asks for the user to verify their Facebook account. GhostTeam captures the email address and password, sends it to its command and control server, and from there it has access to the account (provided two-factor authentication isn't enabled).
Staying safe from GhostTeam
Protecting your device, and those you manage, from GhostTeam doesn't require any new tactics:
- Be sure that your Android device has a reliable antivirus app installed.
- Look at reviews of an app before downloading—the comments and ratings might give you reason to be suspicious of an app's legitimacy.
- Keep your Android device updated with the latest OS and security patches.
- If you suspect a GhostTeam infection, it can be partially mitigated by disabling device administrator permissions in Settings.
- Enable two-factor authentication for Facebook and other accounts that have it available as an option.
Trend Micro said that Google has been notified, affected apps have been removed, and Google Play Protect has been updated to recognize GhostTeam.
- Reducing the risks of BYOD in the enterprise (Free PDF) (TechRepublic)
- Android malware in Google Play racked up 4.2M downloads: Are you a victim? (ZDNet)
- Skygofree Android malware is 'one of the most powerful ever seen' (TechRepublic)
- Android security: First Kotlin-based malware found in Google Play Store (ZDNet)
- New Android malware found every 10 seconds, report says (TechRepublic)