Ancient Ghost Push malware 'threatens 57% of Android devices'

Hackers target users on Android Lollipop and older versions

More than half of all Android devices could still be vulnerable to an ancient malware discovered two years ago, new research finds.

The resilient Ghost Push malware, which has evolved since its release in 2014, affects devices running up to version five of Android, codenamed Lollipop. This accounts for around 57% of all users, according to researchers at Chinese firm Cheetah Mobile.

Ghost Push will not operate on the latest versions of Android, including Marshmallow and the upcoming Nougat, although these accounts for just 10% of users (Android's own dashboard puts the Marshmallow figure at 18.7% during a September snapshot).

NetMarketShare figures show that currently, Android accounts for 51.14% of the operating systems on all mobile devices, with Android 6.0 accounting for 14.66% of the market.

Advertisement - Article continues below
Advertisement - Article continues below

Cheetah Mobile found that the majority of infections are coming from open source apps from unknown sources, rather than those found within the Google Play store. Android blocks app downloads from unknown sources by default, as they don't go through the same security vetting process as Play store apps, and users have to enable these downloads manually.

But Cheetah warned that three different instances of malware are being installed more than 10,000 times each day through the unknown sources feature.

Two specific Trojans, which made up the largest proportion of infections, were found to be part of the Ghost Push family.

Once installed on a device, the malware will promote malicious and pornographic pages that hold yet more malware, trick users into purchasing apps, and display ad-laden notifications to the user.

"So far, this Trojan family represents most infections," the research said. "As these root Trojans are very difficult to remove, and they often update the ads or root sdk automatically, there is a stable bunch of 'users'."

"The main sources of Trojans are pornographic websites, short links and ad links," Cheetah's report added

Advertisement - Article continues below

A number of legitimate apps found in third-party forums were also found to contain malicious links, including MX Player Pro, Run Keeper, and Music Player Pro.

Of course the best course of action for any user is to update to the latest version of Android. Users that are unable to update, or simply don't want to, are advised to avoid clicking on third-party links from unknown sources and stick to verified Google apps.

If your device is already infected, Cheetah mobile recommends using Trojan Killer to remove the malware, or restore your phone back to factory settings.

Featured Resources

Digitally perfecting the supply chain

How new technologies are being leveraged to transform the manufacturing supply chain

Download now

Three keys to maximise application migration and modernisation success

Harness the benefits that modernised applications can offer

Download now

Your enterprise cloud solutions guide

Infrastructure designed to meet your company's IT needs for next-generation cloud applications

Download now

The 3 approaches of Breach and Attack Simulation technologies

A guide to the nuances of BAS, helping you stay one step ahead of cyber criminals

Download now


operating systems

Best Linux distros 2019

24 Dec 2019

IBM doubles down on Red Hat independence

10 Jul 2019

Red Hat launches Enterprise Linux 8

7 May 2019

Most Popular

public sector

UK gov launches £300,000 SEN EdTech initiative

22 Jan 2020
operating systems

17 Windows 10 problems - and how to fix them

13 Jan 2020
mergers and acquisitions

Xerox to nominate directors to HP's board – reports

22 Jan 2020
web browser

Microsoft developer declares it's time to ditch IE for Edge

23 Jan 2020