The Scary Prospects of the Android Virus “GhostCtrl”

Getting a virus on your phone used to be nothing more than a novel idea. These days, however, a phone-based virus is a very real threat. As more and more people purchase and use smartphones in their daily lives, they’ve become more alluring targets for hackers to breach and create malware for. New strains of malware are constantly being made, but one particular strain of virus has caused large waves within the cyber security world.

Going by the name “GhostCtrl,” this new threat is actually the third iteration of a current virus. Unlike the other two versions, however, this new variant on GhostCtrl comes with a wide variety of terrifying features.

How GhostCtrl Is Spread


GhostCtrl enters a victim’s device when they go to install an infected APK file, which is usually masquerading as a popular app such as WhatsApp or Pokémon Go. When the user chooses to install it, the APK will show the usual install prompt. However, if the user tries to decline the installation, the prompt will reappear again.

Should the user get frustrated and end up accepting the install, the virus plants itself in the system using backdoors. It then opens a channel of communication to the hacker’s “C&C server.” C&C is short for “command and control” and is used in botnet operations to send commands to infected devices. As such, once a phone has GhostCtrl on it, it is now subject to receive commands from the malware distributors via this C&C server.

What Does GhostCtrl Do?

The scariest part of GhostCtrl isn’t how it’s spread but what it does. TrendLabs has a full list of all the “action codes” that the hackers can send to GhostCtrl via the C&C server and what each code does. For brevity’s sake, here’s a sample of some of the more drastic actions tied to action codes:

  • Monitor the phone sensors’ data in real time.
  • List the file information in the current directory and upload it to the C&C server.
  • Delete a file in the indicated directory.
  • Send SMS/MMS to a number specified by the attacker; the content can also be customized.
  • Call a phone number indicated by the attacker.

This is dire by itself, but GhostCtrl can do more. TrendLabs goes on to explain that GhostCtrl can also steal information held on the phone. The stolen data can include Android version information, browser history, and camera data. Not only that, but it can also monitor and upload logs of your SMS and recordings of your calls.

Should the hacker decide to, GhostCtrl also has the ability to perform a ransomware-styled attack. Using its abilities, it can change all the passwords and PINs on the device to hold it hostage, then ask the user to pay up to unlock the device again. This leads to speculation that GhostCtrl’s goal is to hit phones that contain important, sensitive information that can be sold, such as those owned by healthcare organisations. Should that fail, Plan B is to instead garner money through the ransomware feature.

How Can I Stop This?

With such a nasty package of features, GhostCtrl can (rightfully!) scare users from their phones. However, a few simple precautions can help stop yourself from being a victim of this new, intricate wave of attack.


If you remember, GhostCtrl manages to work its way onto a system by being packaged with an infected APK file. As such, users put themselves at risk if they download APK files from a bad source. For example, users may be driven to third-party APK sites should they discover that an app they want is behind a country or device restriction. All it takes is for the user to visit and download an infected APK file from a malicious site, and they’ve infected their device with the virus. Stay away from APK sites and don’t download suspicious apps, even if they’re published via the Google Play store.


Installing a solid antivirus should help with stopping the virus from infecting the system. Should this fail, however, there is a plan B; because GhostCtrl needs to talk to its C&C servers in order to receive commands, another recommended solution is to stop it from talking in the first place. A good mobile firewall solution should be able to detect the attempt to “phone home” and warn you about it, allowing you to block the malware from receiving orders. While it won’t stop the phone from being infected, it should prevent any damage from being done. This will give you some time to fix the issue without having your data stolen.

Ghost Busters

GhostCtrl is an extremely nasty example of how advanced malware can completely take over a phone’s capabilities. By staying cautious on what you download and installing a proper firewall application, you can stop yourself from being a victim to this attack.

Do you download APK files from websites? Does this news make you more cautious of doing so? Let us know below.

Simon Batt
Simon Batt

Simon Batt is a Computer Science graduate with a passion for cybersecurity.

Subscribe to our newsletter!

Our latest tutorials delivered straight to your inbox