It's been more than two years since the existence of the Ghost Push mobile Trojan was made public – but millions of devices are still vulnerable.
The Trojan, which began evolving in the wild in 2014, infected up to 600,000 Android smartphone and tablet users per day at its peak. The malware runs a malicious DEX file after installation, an Android program executable, to root victim devices and run malicious processes on startup.
Ghost Push is also able to install unwanted apps and programs, display adverts, spy on users, and steal personal information. The Trojan also pushes ads in the Android notification bar to trick users into paying for additional "services," such as porn or other third-party software. The Trojan makes its way onto user devices through third-party app offerings. While Google conducts rigorous security checks when an app is submitted to the official Google Play store, there are Android users who still download applications from other sources.
Ghost Push can be hidden by attackers in any app that does not go through Google Play, and has been detected in both spoofed and legitimate versions of apps including Wi-Fi Enhancer, Amazon, and Memory Booster. Researchers from Cheetah Mobile say that the malware now also spreads through malicious links, malvertising, and pornography websites.
"As these root Trojans are very difficult to remove, and they often update the ads or root SDK automatically, there is a stable bunch of 'users,'" the researchers note. "Through pushing ads and distributing apps to these users, the Trojans can make profits constantly."
Android users who keep their devices up-to-date have no need to worry, however, as Ghost Push does not work on Android Marshmallow 6.0 or Nougat 7.0. Outdated Android devices still running version five, Android Lollipop, or earlier are the problem. Google estimates that over 50 percent of users are running devices on Android Lollipop and earlier, which leaves potentially millions of devices open to exploit.
"Users should avoid clicking unknown third-party links and only download applications from reputable app stores," the researchers note. "If the phones become infected via root Trojans, users can remove the Trojans with Trojan Killer or just flash their phones. Another solution is to update the device to Android 6.0."