A newly identified Android malware, dubbed GhostSpy, has raised significant concerns in the cybersecurity community due to its sophisticated evasion, privilege escalation, and persistence mechanisms that enable complete control over infected devices.
Security researchers revealed that GhostSpy leverages a multi-stage infection chain, advanced abuse of Android’s Accessibility Services, and anti-uninstall overlays, giving attackers long-term and near-absolute access to victim smartphones.
Multi-Stage Infection
The infection process initiated by GhostSpy begins with a dropper application masquerading as a legitimate app update.
This dropper abuses Accessibility Services and UI automation to silently sideload and install a secondary APK (identified as “update.apk”) without user intervention.
Through simulated screen taps and recursive UI traversal, GhostSpy bypasses Android’s permission dialogs and auto-grants itself a broad range of sensitive permissions including access to SMS, contacts, call logs, camera, microphone, and device location.
Once successfully deployed, the main payload registers itself with the attacker’s command-and-control (C2) infrastructure and acquires Device Admin privileges, Display Overlay permissions, and the ability to draw over system UI.
This grants the malware extensive control, enabling it to silently monitor device activities, extract sensitive data, conduct real-time surveillance, and resist user-initiated removal attempts.
GhostSpy’s core capabilities include keylogging, automated screen capture (even within secure or screenshot-restricted applications such as banking apps), audio and video recording, GPS tracking, and real-time remote command execution.
Notably, the malware reconstructs user interfaces via skeleton view extraction, bypassing anti-screen-mirroring protections commonly employed by financial apps.
This allows it to harvest login credentials, OTPs, 2FA codes, chats, and credit card information heightening the risk of credential theft and financial fraud.
The malware also exploits its elevated privileges to launch overlay attacks that mimic legitimate system dialogs, thereby blocking uninstallation through full-screen warnings and scaring users with deceptive messages about potential data loss.
These overlays prevent user interaction with system settings and impede even technically savvy users from removing the threat through conventional methods, often requiring advanced tools or expert intervention for full remediation.
Researchers have traced GhostSpy’s backend infrastructure to several active C2 endpoints, including domains such as stealth.gstpainel.fun and gsttrust.org, as well as IP address 37.60.233.14.
The malware’s C2 panel supports multiple languages, indicating a global victim base, though evidence suggests its primary developer and distributor operate from Brazil.
According to the Report, GhostSpy, initially promoted on Telegram channels and YouTube some with over 100,000 subscribers was marketed with the slogan “A Melhor em Monitoramento e Gestão dos Seus Dispositivos!” (“The Best in Monitoring and Management of Your Devices!”), pointing to a professional, well-organized threat operation.
Technical Analysis
GhostSpy’s technical underpinnings reveal a modular architecture capable of:
- Real-time screen and camera streaming via Android MediaProjection and Camera2 APIs.
- Automated touch simulation to approve all runtime permissions.
- Anti-uninstallation routines that hijack system uninstall dialogs and cancel removal attempts.
- Filesystem access for gallery, SMS, call log, and calendar exfiltration.
- Remote device wipe via DevicePolicyManager.
The malware uses encrypted communication over application-layer protocols and web sockets to ensure robust and stealthy data exfiltration.
All evidence points to a continuously evolving codebase, actively maintained by its operators with regular updates and new features.
To mitigate risks posed by GhostSpy, organizations and users are urged to:
- Restrict app installations via strong whitelisting policies.
- Deploy mobile threat defense (MTD) solutions capable of detecting overlay attacks and abnormal Accessibility Service usage.
- Regularly update Android OS and security applications.
- Educate users regarding the dangers of sideloading and phishing prompts.
- Monitor network traffic for known malicious infrastructure and employ YARA rules to detect GhostSpy variants.
Failure to address such threats may result in severe compromise of user privacy, financial loss, and organizational data breaches.
Indicators of Compromise (IOCs)
| S. N | Indicator | Type | Context |
|---|---|---|---|
| 1 | e9f2f6e47e071ed2a0df5c75e787b2512ba8a601e55c91ab49ea837fd7a0fc85 | APK Hash | Dropper APK (com.support.litework) |
| 2 | 73e647287408b2d40f53791b8a387a2f7eb6b1bba1926276e032bf2833354cc4 | APK Hash | Payload APK (com.support.litework) |
| 3 | https://stealth.gstpainel.fun | URL | C2 – exfiltration server |
| 4 | 37.60.233.14 | IP Address | C2 – exfiltration server |
| 5 | https://gsttrust.org | URL | C2 – exfiltration server |
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates.
