Do you use Facebook on your Android phone, either through the web or via the official app? Congratulations, you’re like possibly hundreds of millions of people worldwide. Do you have any QR or barcode scanning apps? Compass apps? Chess? Audio recording apps?
Most smartphone and tablet users have at least one of those types of apps. I have a QR code scanner and an audio recording app on my phone. Now look through your Google Play Store app. Do any of your apps say they were developed by Mplus Group? If so, you have reason to be concerned.
Security researchers have discovered at least 53 Android app Trojans, with Facebook credential stealing malware which has been named GhostTeam. Many of the offending apps are developed by Mplus Group. At least one of the apps, Download Videos From Facebook, is developed by Music’s Life. The developer name in the Play Store can’t necessarily be used to determine the individuals behind the malware, but it can be a way to differentiate GhostTeam Trojans from apps which are safe.
GhostTeam Trojan apps have been in the Google Play Store since at least April 2017, and Google just recently removed them. Download Videos From Facebook by Music’s Life alone has over 100,000 downloads, so possibly over a million devices have one of the GhostTeam Trojan apps.
Most GhostTeam victims are from some of the countries in the world with the largest populations - India, Indonesia, Brazil, the Philippines, Japan, China. But there are also many Android devices outside of those countries which are infected.
When Google removed the apps from the Play Store, they stopped making it possible for people to download the apps through the Store and get updates for those apps through the Store. But Google’s action will not remove a GhostTeam Trojan from your Android device.
How GhostTeam Works
In order to assure that the Trojan is installed on an actual Android device, the malware first checks to make sure it’s not running in an emulator or a virtual machine (VM). GhostTeam can only conduct its malicious actions on a real Android phone or tablet. When an installation passes that check, that’s when the payload is delivered.
The payload will masquerade as “Google Play Services” when the function verifies an app. The user will then be prompted to install a fake version of Google Play Services and to enable device administration, which affectively grants administrative rights to the Trojan and its associated activities.
As soon as the user launches their Facebook app, they’ll be asked to verify their account. A WebView (an Android code-specific function to embed web content in an app) will then be executed that will grab the email address and password that the user enters. Those credentials are then sent to GhostTeam’s command and control (C2) servers.
Facebook plays a crucial role in people’s everyday lives. Also, the harm in stealing Facebook creds goes beyond Facebook, because many millions of people use Facebook OAuth to authenticate with lots of other apps and web services. Some of those services may even have a user’s sensitive credit card or PayPal data.
GhostTeam has also been found to deliver obnoxious ads. The ads can interfere with a user’s everyday Android activities to a greater extent than ad services which are considered legitimate. The malicious ads can even acquire more sensitive data from a user and make a user’s device more vulnerable to other malware. GhostTeam can dim an Android device’s display so the user is unaware that the malware is clicking on ads on their behalf.
GhostTeam malware itself also acquires location data, device language preference, display parameters, and even unique device IDs. Lots of harm can be done when that information falls into the wrong hands. Attackers can follow you physically as you travel with your Android device.
So, What Now?
It’s believed that the attackers behind GhostTeam are based in Vietnam. A big clue is how the Trojans are available in both Vietnamese and English versions without other languages, and how Vietnamese text has actually been found in GhostTeam’s code.
If you believe your Android device is infected with a GhostTeam Trojan, here’s what you can do. First, try to uninstall the suspicious apps through the Apps section of your Android settings. You might have to clear app data and click on Force Stop before you click on Uninstall. Whether or not you were able to uninstall the apps successfully, you should then scan your phone with an antivirus app that has recently acquired the latest signatures available.
By now, most Android antivirus vendors should have signatures for GhostTeam. It hasn’t been a zero-day for a while, and there are patterns that can be found in an app’s code which make it likely to be GhostTeam. After removing the malware, you should change your Facebook password right away and set up two-factor authentication if you haven’t already.
Back when GhostTeam Trojans were in the Play Store, many of them had ratings of four stars or more. There are ways that cyber attackers can force their users to give their apps four or five star ratings, such as through obnoxious popups which won’t go away otherwise. Nonetheless, if you were to actually read the user reviews you’d find that most of them were quite negative.
For example, many of the reviews for Download Videos From Facebook said that the app didn’t actually download videos from Facebook. I highly recommend that Android users actually take their time to read user reviews of apps they’re interested in, both in the Play Store and on the web, before installing any APK. That applies to free apps, paid apps, apps with lots of downloads, and apps with very few downloads alike.