Ancient Ghost Push malware 'threatens 57% of Android devices'

Hackers target users on Android Lollipop and older versions

More than half of all Android devices could still be vulnerable to an ancient malware discovered two years ago, new research finds.

The resilient Ghost Push malware, which has evolved since its release in 2014, affects devices running up to version five of Android, codenamed Lollipop. This accounts for around 57% of all users, according to researchers at Chinese firm Cheetah Mobile.

Ghost Push will not operate on the latest versions of Android, including Marshmallow and the upcoming Nougat, although these accounts for just 10% of users (Android's own dashboard puts the Marshmallow figure at 18.7% during a September snapshot).

NetMarketShare figures show that currently, Android accounts for 51.14% of the operating systems on all mobile devices, with Android 6.0 accounting for 14.66% of the market.

Cheetah Mobile found that the majority of infections are coming from open source apps from unknown sources, rather than those found within the Google Play store. Android blocks app downloads from unknown sources by default, as they don't go through the same security vetting process as Play store apps, and users have to enable these downloads manually.

But Cheetah warned that three different instances of malware are being installed more than 10,000 times each day through the unknown sources feature.

Two specific Trojans, which made up the largest proportion of infections, were found to be part of the Ghost Push family.

Once installed on a device, the malware will promote malicious and pornographic pages that hold yet more malware, trick users into purchasing apps, and display ad-laden notifications to the user.

"So far, this Trojan family represents most infections," the research said. "As these root Trojans are very difficult to remove, and they often update the ads or root sdk automatically, there is a stable bunch of 'users'."

"The main sources of Trojans are pornographic websites, short links and ad links," Cheetah's report added

A number of legitimate apps found in third-party forums were also found to contain malicious links, including MX Player Pro, Run Keeper, and Music Player Pro.

Of course the best course of action for any user is to update to the latest version of Android. Users that are unable to update, or simply don't want to, are advised to avoid clicking on third-party links from unknown sources and stick to verified Google apps.

If your device is already infected, Cheetah mobile recommends using Trojan Killer to remove the malware, or restore your phone back to factory settings.

Featured Resources

How to choose an AI vendor

Five key things to look for in an AI vendor

Download now

The UK 2020 Databerg report

Cloud adoption trends in the UK and recommendations for cloud migration

Download now

2021 state of email security report: Ransomware on the rise

Securing the enterprise in the COVID world

Download now

The impact of AWS in the UK

How AWS is powering Britain's fastest-growing companies

Download now

Recommended

Trend Micro and Snyk team up to combat open source flaws
vulnerability

Trend Micro and Snyk team up to combat open source flaws

10 May 2021
Best Linux distros 2021
operating systems

Best Linux distros 2021

7 May 2021
Redis closes another round of funding, raking in an additional $110 million
open source

Redis closes another round of funding, raking in an additional $110 million

8 Apr 2021
Six things a developer should know about Postgres
Whitepaper

Six things a developer should know about Postgres

22 Mar 2021

Most Popular

How to find RAM speed, size and type
Laptops

How to find RAM speed, size and type

16 Jun 2021
Q&A: Enabling transformation
Sponsored

Q&A: Enabling transformation

10 Jun 2021
Ten-year-old iOS 4 recreated as an iPhone app
iOS

Ten-year-old iOS 4 recreated as an iPhone app

10 Jun 2021