Analysis Summary

GhostSpy is a newly identified, highly sophisticated Android malware that poses a significant threat to mobile device security by granting attackers full control over infected smartphones and tablets.

Discovered by Researchers, this web-based Remote Access Trojan (RAT) follows a multi-stage infection strategy, starting with a dropper app disguised as a legitimate update or utility. This dropper silently escalates privileges and installs a secondary payload to enable long-term surveillance and control. GhostSpy stands out due to its advanced evasion techniques, persistent access mechanisms, and its abuse of Android’s Accessibility Services and Device Administrator APIs to silently gain extensive permissions without user awareness.

Once deployed, GhostSpy unleashes a wide array of spying and data exfiltration features, including keylogging, screen capture, GPS tracking, audio/video recording, SMS and call log theft, and remote command execution. Alarmingly, it bypasses the security features of banking applications that typically block screenshots by using a “skeleton view reconstruction” technique to extract full UI layouts. This enables the theft of banking credentials and unauthorized financial transactions, representing a severe risk to both personal privacy and financial assets. Its command-and-control infrastructure suggests a Brazilian origin, with multilingual capabilities (Portuguese, English, Spanish) and multiple servers, such as the primary C2 domain, stealth. gstpanel. fun operating on ports 3000 and 4200, highlighting its international targeting scope.

The infection process begins with the method updateApp() in the dropper, which checks for the canRequestPackageInstalls() permission. If this is absent, users are tricked into enabling unknown app sources via a targeted redirect. Upon obtaining permissions, the malware uses copyApkFromAssets("update.apk") and installApk() to deploy a hidden secondary APK using a FileProvider-generated content URI. The secondary payload, identified as com.. support. Litework includes a powerful auto-permission-granting feature. It simulates human-like taps through the method AllowPrims14_normal, navigating Android's UI to grant all necessary access silently, even on the latest Android versions.

Additionally, GhostSpy employs a recursive function called getAutomaticallyPermission, which uses Android's AccessibilityNodeInfo API to locate and automatically click permission buttons labeled in various languages such as “Allow,” “While using the app,” and “Permitir.” This multilingual targeting highlights the malware’s global design and adaptability across different devices and user environments. Together, its automated installation, multilingual interface navigation, and deep exploitation of Android permission systems mark GhostSpy as one of the most dangerous mobile malware threats to date, blending traditional RAT functionality with cutting-edge mobile-specific attack vectors.

Impact

• Sensitive Information Theft
• Security Bypass
• Gain Access
• Code Execution
• Financial Loss

Indicators of Compromise

SHA1

• e0eb39589a97a4d576b8f9be9d41cdbfbd177c67

• 80dd5ed2d4996b409c957ce363831041783f5506

URL

• https://gsttrust.org
• https://stealth.gstpainel.fun

Remediation

• Block all threat indicators at your respective controls.
• Search for indicators of compromise (IOCs) in your environment utilizing your respective security controls.
• Never install applications from unknown sources or outside the official Google Play Store. Disable the “Install unknown apps” permission for all apps unless absolutely necessary.
• Be cautious of apps pretending to be system updates or utilities. Verify app authenticity before installation, especially when prompted unexpectedly to install or update something.
• Go to device settings and review app permissions frequently. Revoke unnecessary or suspicious permissions, especially those related to Accessibility Services and Device Admin.
• Only enable Accessibility Services for trusted apps. Disable it for apps you don’t recognize or that don’t need it for their core functionality.
• Use a trusted antivirus or mobile security solution that includes real-time malware detection, heuristic analysis, and permission monitoring.
• Regularly install Android OS and security updates to patch known vulnerabilities that malware like GhostSpy could exploit.
• Ensure Google Play Protect is enabled in the Play Store settings to scan for and block potentially harmful apps.
• Train employees to recognize phishing and malicious apps, especially if the device is used for work. Enforce strict mobile device management (MDM) policies.
• Look out for sudden battery drain, overheating, unusual permissions granted, or apps behaving abnormally; these may indicatea malware infection.
• If you suspect your device is compromised and cannot remove the malware manually, back up your data and perform a factory reset to wipe out persistent threats.