Ghost Push

From Wikipedia, the free encyclopedia
Jump to navigation Jump to search

Ghost Push is a family of malware that infects the Android OS by automatically gaining root access, downloading malicious software, masquerading as a system app, and then losing root access, which then makes it virtually impossible to remove the infection even by factory reset unless the firmware is reflashed. The malware hogs all the system resources, making the phone unresponsive and draining the battery. Advertisements continually appear either as full or partial screen ads or in the status bar. Unwanted apps and malicious software are automatically downloaded and installed when connected to the internet. The malware is hard to detect.[1]


It was discovered in September 18, 2015 by Cheetah Mobile's CM Security Research Lab.[2][3][4][5][6]

Further investigation of Ghost Push revealed more recent variants, which, unlike older ones, employ the following routines that make them harder to remove and detect:[7]

  • encrypt its APK and shell code,
  • run a malicious DEX file without notification,
  • add a “guard code” to monitor its own processes,
  • rename .APK (Android application package) files used to install the malicious apps,
  • and launch the new activity as the payload.


  1. ^ "Ghost Push malware is putting the willies up Android users - TheINQUIRER". Retrieved 30 November 2016.
  2. ^ "Cheetah Mobile: 'Ghost Push' Android virus infects 600k+ users a day with unwanted apps | VentureBeat | Security | by Ken Yeung". Retrieved 2016-01-09.
  3. ^ "'Ghost Push' Malware Infects 600K Android Users Daily". Retrieved 2016-01-09.
  4. ^ "How to avoid the new Android "Ghost Push" virus | One Page |". Retrieved 2016-01-09.
  5. ^ "Ghost Push malware can root devices and install unwanted apps - here is the fix". Retrieved 2016-01-09.
  6. ^ "'Ghost Push': An Un-Installable Android Virus Infecting 600,000+ Users Per Day - The world's leading mobile tools provider". Retrieved 2016-01-09.
  7. ^ "New "Ghost Push" Variants Sport Guard Code; Malware Creator Published Over 600 Bad Android Apps - TrendLabs Security Intelligence Blog". 30 September 2015. Retrieved 30 November 2016.