Cybersecurity

A newly identified Android malware family named GhostGrab has emerged, targeting mobile users with a dual-monetization strategy. This malware combines covert cryptocurrency mining with comprehensive financial data theft.

Product and Feature Updates

GhostGrab operates as a multifaceted threat, methodically collecting banking credentials, debit card information, personal identification data, and one-time passwords through SMS interception. In addition, it utilizes compromised device resources to mine Monero cryptocurrency, creating a dual-revenue stream for threat actors.

The malware uses an intent-filter with CATEGORY.INFO instead of CATEGORY.LAUNCHER in MainActivity, allowing it to remain hidden from the app launcher and operate discreetly in the background.

Technical Specifications and Infrastructure

The attack begins with JavaScript-based redirects on the malicious domain kychelp[.]live, which automatically prompts victims’ browsers to download a dropper APK disguised as “BOM FIXED DEPOSIT.apk.”

The dropper presents a Play Store-style update interface, convincing users to grant installation privileges. Once installed, it abuses the REQUEST_INSTALL_PACKAGES permission to facilitate in-app installation of additional hidden payloads, bypassing Google Play, and enabling the deployment of a banking stealer module.

GhostGrab employs advanced persistence techniques, including sticky foreground notifications, silent media playback, battery optimization exemptions, app icon hiding, and auto-restart mechanisms triggered by system events.

Data Exfiltration

The banking stealer component uses a wide array of Android permissions to enable comprehensive data exfiltration. By exploiting READ_SMS, RECEIVE_SMS, and SEND_SMS permissions, GhostGrab intercepts all incoming messages, including one-time passwords and banking alerts.

The malware’s CALL_PHONE and READ_PHONE_STATE permissions allow call forwarding manipulation and unauthorized USSD command execution, enabling attackers to reroute verification calls to attacker-controlled numbers.

Credential Harvesting Workflow

GhostGrab includes sophisticated phishing pages within the APK’s assets folder, displayed via WebView to mimic legitimate banking interfaces. These pages guide victims through a credential harvesting workflow, requesting personal information and banking credentials.

All entered credentials are captured through injected JavaScript, monitored during form submissions, and transmitted to a Firebase Realtime Database controlled by attackers.

Command Execution and Financial Impact

GhostGrab uses Firebase Cloud Messaging to receive remote commands, enabling call forwarding, SMS sending, and continuous SMS forwarding to attacker-controlled numbers. It performs SIM reconnaissance, collecting carrier names, phone numbers, and slot indices.

The malware constructs command-line parameters for background cryptocurrency mining, including a hardcoded Monero wallet address and mining pool endpoints, generating cryptocurrency revenue for threat actors.

Recommendations

Users should review installed applications and uninstall suspicious packages, particularly those resembling banking applications. Mobile device administrators are advised to enhance SMS and notification monitoring, enforce app vetting policies, and apply geofencing restrictions on financial applications.

Organizations should deploy mobile threat defense solutions to detect privilege escalation attempts and Firebase-based exfiltration patterns. Users are encouraged to enable two-factor authentication through authenticator applications rather than SMS to prevent interception attacks.