GhostSpy Android Malware Hijacks Phones, Evades Removal

A newly discovered Android malware known as GhostSpy is allowing threat actors to gain full control over infected devices, according to researchers at Cyfirma. The sophisticated Remote Access Trojan (RAT) uses a multi-stage infection chain that begins with a dropper app disguised as a legitimate update or system tool. Once installed, it escalates privileges and deploys a secondary payload to enable persistent surveillance.

GhostSpy exploits Android’s Accessibility Services and Device Administrator APIs to stealthily grant itself extensive permissions. The malware can harvest sensitive data including keystrokes, screen content, call logs, GPS location, and banking credentials. It also bypasses screenshot protections using skeleton view reconstruction.

The infrastructure supporting GhostSpy points to a Brazilian origin, with command-and-control servers operating in multiple languages. Its advanced automation routines simulate user interaction to grant permissions without consent, making it difficult to detect or uninstall. The malware is actively maintained and poses a serious risk to mobile security worldwide.