Ghost Push malware can root devices and install unwanted apps – here is the fix

by: Edgar CervantesOctober 13, 2015


A common rule of thumb is that those who stick with the Google Play Store are safe from malware and other dangers. This is mostly the case, but once in a blue moon we get some exceptions. Such is the case for Ghost Push, a trojan malware that hides itself inside popular apps and has managed to make its way to official app markets (yes, this includes our beloved Play Store).

This malicious code was discovered by Cheetah Mobile on September 18th. Things spread quickly and the malware managed to infect 900,000 devices, which really is a significant number. This includes smartphones and tablets from many markets and manufacturers. We can thank the quick proliferation to the nature of the software. Aside from bypassing security measures established by the Google Play Store and other markets, Ghost Push was able to obtain full root and control smartphones and tablets at its fullest. This also made it nearly impossible to get rid of.

Some of the infected apps include bogus versions of Calculator, Smart Touch, Assistive Touch, Talking Tom 3, Easy Locker, Privacy Lock and others.


After earning full control over a device, the Chinese hackers running the operation would push app installations without the user’s consent… and they weren’t free apps. Cheetah Mobile estimates that Ghost Push made this criminal ring about $4.05 million per day.

There’s not much to worry about now, as all of these malicious apps were quickly taken down from the Google Play Store, but some of you may have already been affected. As we mentioned above, this is a very nasty virus that sticks to your phones internals. Most anti-virus software won’t even work, but Cheetah Mobile has created a specialized tool to kill Ghost Push.

The app is also good at detecting the malware, so you should run it if you have been noticing any weird activity on your smartphone, or if you happen to have downloaded one of the listed apps.

Download Ghost Push Trojan Killer from the Google Play Store

This just goes to show you that we should always be careful of what we do with our smartphones. Sometimes even the Google Play Store is not safe, so try to be careful where you grab your apps from. Always make sure it comes from the official developer and no red flags are up. Have any of you been affected? The stats show the USA had its fair share of infected gadgets.


  • Connor

    What if, Ghost Push Trojan Killer installs Ghost Push? :OOOOOOOOOOOOOO /s

    • Aqwaman

      I had the same thought !!

      • DNagooyen

        I’ve always been wary about those “you have a virus, install this anti-virus now!!!” messages.

    • Josh

      Same thought I had…after I ran the app they recommended :/

  • Abd

    The number 1 Virus is the Antivirus ..!

  • pjtpjt

    How does it root it? This could be a treasure for Knox-ridden Samsung phones.

    • s2weden2000

      it propably does not root..but affect rooted devices..

      • Android Developer

        It could root. There are still exploits. One of them is used by TowelRoot, which is a very popular tool for rooting.

  • ScandaLeX

    so try to be careful where you grab your apps from. Always make sure it comes from the official developer…..”

    What’s more careful than the Play Store?
    How would one know an app IN the Play Store is not from the official developer….was Ghost Push developed by someone else previously making it official before the “Chinese hackers” made it unofficial?

    This article made me need my cup of coffee earlier than usual.

  • Hartfrid Lovejoy

    How do I get Ghost Push? I’ve been looking for root for a while

    • Daivd

      Do you really want it? I do have one.

      • sasaassa

        Can you give it? i would like to try it out and figure out how it works. One question i have is Can it active the malware if the phone is not rooted?

  • Sonik

    Discovered by cheetah mobile? Who themselves are a scumware company. This whole thing sounds a little dubious to me!

    • James Sarver

      On a clean stock rom it is not soon as you install super su. The app detects ghost push. Uninstall super su and the Trojan is gone again. Installed superuser and checked out Trojan found. So why does it detect it with super su. But not with super user. Because with superuser it does not detect root. So is actually detecting anything?

  • Glen H

    I’d trust Ghost Push more than CM any day !!

  • daisyboots

    Was just reading about Cheetah Mobile – yeah there is stuff out there about them not being the most reputable themselves. Hmmmm…

    Also, a quick Google search of Ghost Push Trojan pulls up hits for this page, Cheetah’s app, and not much else that isn’t fairly obscure and sketchy seeming. Wouldn’t such a pervasive and dangerous virus (when searched) pull up hits from other major Android news sites, XDA, etc.?

    AA: a little surprised that one of your stories is encouraging the install of the Cheetah Mobile app – I have a lot of trust in you guys and actually did install the app before reading the comments below and doing my own brief searching (my bad and responsibility I know, but still…)

  • jprakes

    Install cheetah malware to remove another malware. Seems legit.

  • Raul Acevedo

    I wonder, if you have an already rooted phone, if this virus will trigger the SuperSU security pop-up, or if it’s smart enough to bypass it entirely.

    • pseudo

      I’m curious too. I can’t see it getting past x-privacy though without alerting me to an unusual permissions being requested.

    • LogicDaemon

      Most programs requiring root, execute su binary, and that binary calls something “su manager”, which responds is it allowed or not (and can display prompts or just check a list).

      Virus gets root permission by means of exploit, and installs it’s own suid binary with name and path different from “normal” su, so user still does not get root rights, and because of that virus doesn’t care if phone is rooted, neither triggers any security popups from existing root managers.

  • Chuck Jones

    Isn’t Cheetah Mobile a Trojan/malware installing product company?
    They buy out companies, then re-package the app with their malware.

  • Benjamin Earl Traylor

    Cheetah is a Chinese owned company. So the Chinese mobile company is telling us that Chinese hackers are the ones taking control of mobile phones? That we should hurry up and install their software so the can save us from them? I’ll get right on that.

    • Papajack Gemperle

      This what I mean…Don’t trust this antivirus.

  • Papajack Gemperle

    My theory is correct and true. I already discovered it before this ghost touch released in my blog and already posted on how to remove it and what the purpose of this attack. I found out that can access in internet or mobile data to earn money from their ads and can automatically install unwanted apps. As you can see in my blog that was posted last June 2015. My point is why did they claimed that this malware discovered by their company? How did they know that the criminal earned 4 million USD per day?. I wonder that this Cheetah mobile company has relation to the Ghost push virus? bcoz of same races “Chinese”. Just kidding…No offence Cheetah mobile but some of your application bind this malware “monkeytest and timeservice”. Before you show this what I was expected like the antivirus company made a virus then create also antivirus in order to buy their antivirus and gain respect. But as whole they also the creator of the virus.

  • So you guys got trolled by a chinese malware maker. Good job. Talked with my FireEye rep. This is fake.

    • Lian

      How’d u say this convo thread is fake? Im experincing this shit right now. But these thread was a year ago already😭

  • A2theC

    Is this article written exclusively to promote this “virus” scanner?

  • Neo Tan

    nice iphone image explaining android malware

  • Isma

    I have successfully remove ghost push trojan,using king root, cm security & ghost push trojan killer….

  • Andrea

    It has affected me and I do not get into any funny sites at all in fact I just got the phone about a week ago. Even this trojan killer does not get rid of it and it says “uninstall unsuccessful”…. now you tell me how to get rid of this bummer! ive tried for three days with different tools even trying to learn to reinstall the phone’s android system…. but am not that technical… its a real pita!!!

    • Isma

      1)download king root
      2)download ghost push trojan killer
      3)download cm security
      Firstly u need to root your phone by using king root.
      After root your phone, then you can use ghost push trojan killer and cm security to kill all the viruses…

      • Anastasios Karaferis

        I have successfully removed this trojan, using king root, cm security & ghost push trojan killer…. thanks a lot for the usefull info

  • fearless

    I have downloaded Trojan killer but yet the malwares always keep coming back

  • Nick

    Sounds like made up trash to me apps that root your phone without you knowing ha! So explain how it does this without installing superuser and or busybox and cheetah mobile then want you to root your phone to install trojan app!!.. im i missing something here the infected app has root control but you need then root your phone to use stubborn trojan killer… thats impossable.

    Stop pushing this crap on people its clearly a made up virus that only exists as a name in CMs own antivirus app to scare you into thinking you need to download more off there apps

  • kenkeyguy

    Totally made up virus to make you download stubborn trojan killer
    I don’t know why Android Authority is promoting this.. just goes to prove this is yet another site not to be trusted

  • Guilherme

    This malware Root unrooted devices and Install unwanted apps and infects original system apps. Factory reset does not work, Ghost push app does not work. Flashing device is a good try. We need a solution for this. There are more and more devices getting infected every day by this thread. Nothing llike Ghost Push app works. unwanted apps come back after all. Does anybody has a solution for that? Post in here please!

  • ziplock

    there’s no way to get rid of this Ghost Push. Even anti virus is the virus also. R.I.P. smartphones

  • abodooma

    Yep.. Got hit by the awful virus.. It uses the stagefright bug which affects all android from 2.2 to 5.0.2
    Once the infected app is installed it immediately roots the phone or takes over the root from superuser and other software.. Then it installs it’s core apks in the system/priv-app so it gets full permissions.. Installs a minimal version of busybox.. Makes it’s core apps system, write protected, immutable.. Puts a rootkit shell script in startup. Then force restarts the phone..

    After the restart.. The trojan starts working.. It forcibly turns on wifi and data.. Connects to any known access point.. Starts downloading huge amounts of apks which appear to be chinese apps.. Shows fullscreen ads every few secons and most of them are chinese porn or fake security apps.. All these apks are installed into /system, so there is no way to uninstall them and they remain after the factory reset…

    To eliminate the virus manually, one must install kingroot which re-roots the phone and takes over it from the virus, install busybox and a terminal.. And start reversing the above processes.. Find the core apps of the virus which could be named anything.. Unprotect them, remove them.. And start uninstalling the downloaded apps using a root app uninstaller.. You know the virus is gone when the wifi stays off when you turn it off.

    I haven’t tried the cheetah mobile app yet..
    But I recommend you reflash your phone with the original software and update your phone to Android 5.1.1 or above to prevent other malware from rooting your phone.

  • Humaid Md Miakhan

    One way to fix it is to flash a custom ROM. I tried it on a friend’s phone and that seemed to do the trick.

  • sazzad khan

    i just got recovered….even stubborn killer failed to delete those virus…
    sprovider, provider, ssettings and favor these 4 shit were detected by the stubborn killer and i deleted it million times in two weeks but they kept comming… cm security also failed … at last flash stock rom to my droid was the only choice i had left…as i am a bit unlucky , faced lots of trouble in doing that… but finally got cured…:):P.

    if you dont have this trozen by now trust me you will get it so soon.. and flashig is the best solution for it

    note: If and only if you faced any problem with sp Flash tools that can’t complete it’s downloding task….give attaching battery and volume up + Power button a shot…. it saves my day…

  • shaan qadri

    its didnt delete …..ghost push virus.
    first conform to delete but again after scanning its same ghost push virus is available..
    plz what to doo

  • James Sarver

    On a clean stock rom it is not soon as you install super su. The app detects ghost push. Uninstall super su and the Trojan is gone again. Installed superuser and checked out Trojan found. So why does it detect it with super su. But not with super user. Because with superuser it does not detect root. So is actually detecting anything?

  • Willy Lim
  • Linda C. Ruckman

    There is bit of relation between cheetah mobile and hackers because both are in china. Maybe Cheetah mobile has made the malware