Threat Report

GhostTeam Adware Steals Facebook Credentials on Android

What Is It?

The malware, named GhostTeam, based on the presence of this string in early versions of the malware code, is primarily Adware, however it also targets Facebook credentials, uploading them to a command and control (C2) server in the domain. A recent blog entry from Trend Micro describes malware they found in a total of 53 apps on the Google Play Store.

The malware will only fully install after it confirms it is running on an actual Android device and not an emulator or a virtual machine.

The infected apps claim to be useful utility apps, such as a flashlight, device performance improvement apps and social media video downloader apps, which are particularly appealing to users in areas where mobile internet speeds are relatively low.

These apps are also illustrative of the risks associated with Adware and other potentially unwanted programs/applications. These categories can sometimes be considered essentially safe by administrators, however, as evidenced here, Adware is often more than merely annoying and can contain malicious elements or can download other malicious content.

How Does It Propagate?

The infected apps do not self-propagate.

The malware is contained in various apps on the Google Play Store and users are enticed to download them based on their apparent usefulness.

When/How Did BluVector Detect It?

BluVector’s patented machine learning malware detection engine detects the GhostTeam infected apps as malicious. Regression testing on several infected samples has shown the files would have been detected by BluVector an average of 9 months prior to their release. Note: BluVector would only detect the malware if the mobile device was connected to a corporate network monitored by a BluVector appliance.

Interested in learning about BluVector?Contact Us >