Ancient Ghost Push malware 'threatens 57% of Android devices'

Hackers target users on Android Lollipop and older versions

More than half of all Android devices could still be vulnerable to an ancient malware discovered two years ago, new research finds.

The resilient Ghost Push malware, which has evolved since its release in 2014, affects devices running up to version five of Android, codenamed Lollipop. This accounts for around 57% of all users, according to researchers at Chinese firm Cheetah Mobile.

Ghost Push will not operate on the latest versions of Android, including Marshmallow and the upcoming Nougat, although these accounts for just 10% of users (Android's own dashboard puts the Marshmallow figure at 18.7% during a September snapshot).

NetMarketShare figures show that currently, Android accounts for 51.14% of the operating systems on all mobile devices, with Android 6.0 accounting for 14.66% of the market.

Cheetah Mobile found that the majority of infections are coming from open source apps from unknown sources, rather than those found within the Google Play store. Android blocks app downloads from unknown sources by default, as they don't go through the same security vetting process as Play store apps, and users have to enable these downloads manually.

But Cheetah warned that three different instances of malware are being installed more than 10,000 times each day through the unknown sources feature.

Two specific Trojans, which made up the largest proportion of infections, were found to be part of the Ghost Push family.

Once installed on a device, the malware will promote malicious and pornographic pages that hold yet more malware, trick users into purchasing apps, and display ad-laden notifications to the user.

"So far, this Trojan family represents most infections," the research said. "As these root Trojans are very difficult to remove, and they often update the ads or root sdk automatically, there is a stable bunch of 'users'."

"The main sources of Trojans are pornographic websites, short links and ad links," Cheetah's report added

A number of legitimate apps found in third-party forums were also found to contain malicious links, including MX Player Pro, Run Keeper, and Music Player Pro.

Of course the best course of action for any user is to update to the latest version of Android. Users that are unable to update, or simply don't want to, are advised to avoid clicking on third-party links from unknown sources and stick to verified Google apps.

If your device is already infected, Cheetah mobile recommends using Trojan Killer to remove the malware, or restore your phone back to factory settings.

Featured Resources

The definitive guide to warehouse efficiency

Get your free guide to creating efficiencies in the warehouse

Free download

The total economic impact™ of Datto

Cost savings and business benefits of using Datto Integrated Solutions

Download now

Three-step guide to modern customer experience

Support the critical role CX plays in your business

Free download

Ransomware report

The global state of the channel

Download now

Most Popular

How to find RAM speed, size and type

How to find RAM speed, size and type

17 Sep 2021
What are the pros and cons of AI?
machine learning

What are the pros and cons of AI?

8 Sep 2021
Best MDM solutions 2020
mobile device management (MDM)

Best MDM solutions 2020

17 Sep 2021