Ancient Ghost Push malware 'threatens 57% of Android devices'

Hackers target users on Android Lollipop and older versions

More than half of all Android devices could still be vulnerable to an ancient malware discovered two years ago, new research finds.

The resilient Ghost Push malware, which has evolved since its release in 2014, affects devices running up to version five of Android, codenamed Lollipop. This accounts for around 57% of all users, according to researchers at Chinese firm Cheetah Mobile.

Ghost Push will not operate on the latest versions of Android, including Marshmallow and the upcoming Nougat, although these accounts for just 10% of users (Android's own dashboard puts the Marshmallow figure at 18.7% during a September snapshot).

NetMarketShare figures show that currently, Android accounts for 51.14% of the operating systems on all mobile devices, with Android 6.0 accounting for 14.66% of the market.

Advertisement - Article continues below

Cheetah Mobile found that the majority of infections are coming from open source apps from unknown sources, rather than those found within the Google Play store. Android blocks app downloads from unknown sources by default, as they don't go through the same security vetting process as Play store apps, and users have to enable these downloads manually.

But Cheetah warned that three different instances of malware are being installed more than 10,000 times each day through the unknown sources feature.

Two specific Trojans, which made up the largest proportion of infections, were found to be part of the Ghost Push family.

Once installed on a device, the malware will promote malicious and pornographic pages that hold yet more malware, trick users into purchasing apps, and display ad-laden notifications to the user.

"So far, this Trojan family represents most infections," the research said. "As these root Trojans are very difficult to remove, and they often update the ads or root sdk automatically, there is a stable bunch of 'users'."

"The main sources of Trojans are pornographic websites, short links and ad links," Cheetah's report added

A number of legitimate apps found in third-party forums were also found to contain malicious links, including MX Player Pro, Run Keeper, and Music Player Pro.

Of course the best course of action for any user is to update to the latest version of Android. Users that are unable to update, or simply don't want to, are advised to avoid clicking on third-party links from unknown sources and stick to verified Google apps.

If your device is already infected, Cheetah mobile recommends using Trojan Killer to remove the malware, or restore your phone back to factory settings.

Featured Resources

The IT Pro guide to Windows 10 migration

Everything you need to know for a successful transition

Download now

Managing security risk and compliance in a challenging landscape

How key technology partners grow with your organisation

Download now

Software-defined storage for dummies

Control storage costs, eliminate storage bottlenecks and solve storage management challenges

Download now

6 best practices for escaping ransomware

A complete guide to tackling ransomware attacks

Download now



IBM doubles down on Red Hat independence

10 Jul 2019
operating systems

Best Linux distros 2019

18 Jun 2019

Red Hat launches Enterprise Linux 8

7 May 2019

Most Popular

Microsoft Azure

Microsoft, not Amazon, is going to win the cloud wars

30 Nov 2019
Amazon Web Services (AWS)

What to expect from AWS Re:Invent 2019

29 Nov 2019
Business strategy

Huawei takes the US trade sanctions into its own hands

3 Dec 2019

Five signs that it’s time to retire IT kit

29 Nov 2019