TrendLabs: Android Backdoor GhostCtrl

There’s actually a red flag that shows how the malicious APK is an OmniRAT spinoff. Given that it’s a RAT as a service, this can be modified (or removed) during compilation.

Figure 1: Snapshot of GhostCtrl version 3’s resources.arsc file indicating it’s an OmniRAT variant (highlighted)

REF: http://blog.trendmicro.com/trendlabs-security-intelligence/android-backdoor-ghostctrl-can-silently-record-your-audio-video-and-more/