By Cheetah Mobile


A dangerous new Android trojan dubbed Golem (a variant of the Ghost Push virus), has been discovered by Cheetah Mobile Security Research Lab and is spreading rapidly around the world. Golem is still in an early stage, but we’ve detected over 40,000 infected Android users, and that number is rising quickly.

Since ads that pay for app installs typically require open an app and use it after downloading, Golem’s automated user gestures for swiping and scrolling further complicate meaningful analytics and fraudulently earn money for the criminals behind the malware.

How Golem works

Common knowledge for Android developers, all Android devices have been pre-loaded with a system command tool: ‘Input.’ The ‘Input’ command tool is designed to help developers conduct automated testing and is mainly used to send commands for simulating operations across devices. Generally, legitimate applications have no privilege to execute this tool, but malware with root privileges are able to utilize it.

The Golem Trojan family gains root privilege and leaves a backdoor for Golem to leverage this tool. Golem can pull command codes like ‘tap,’ ‘swipe,’ and ‘press’ from a cloud server and execute these codes with the ‘Input’ command tool to operate apps automatically. Every time Golem is activated, it will download updated command code from the cloud server to launch apps and simulate users tapping, sliding and scrolling through app pages.

How Golem compromises your device

Since Golem can control devices remotely and automatically launch and run applications without a user’s consent, these malicious behaviors will consume a lot of network data, battery power, and local device resources, slowing down phones as a result.

Who’s behind this awful trojan?

Golem is a new member of the Ghost Push root trojan family and is playing an important role in the black market profit chain. In the previous reports regarding Ghost Push and the underground app distribution chain behind it, we constantly mentioned that this trojan family is capable of installing unwanted and annoying apps on infected devices.

However, now that the malicious behavior has moved beyond just installing useless applications on your devices, it is acting on behalf of users.

Undoubtedly, the Golem trojan is developed by the financially motivated attacker to make more profits. As Golem is able to simulate actions to pretend to be a human user, the attackers will get a lot more money from advertisers.

For instance, if the attackers can get $1 by installing a promoted app on one device, they may be able to get $2 or more if the app has actually been opened and used. (Or if attackers make the advertisers believe that the app has been used.)

Golem – a new Android trojan trend!

Considering the huge economic value of this root trojan profit chain, experts believe that the malicious behaviors of Golem probably indicate a new trend among Android trojans.

Fortunately, security companies around the world are trying their best to defeat these evils and protect users.

So far, almost all countries have been affected by this Trojan and the most severely affected area is India and Southeast Asia. The top 3 worst-hit countries are India, Indonesia and Phillipines.

How to get rid of Golem?

Besides CM Security, and Clean Master, the specialized Stubborn Trojan Killer is able to identify and kill this terrible Trojan in seconds. CM Security Lab reminds users to download apps only from reputable app stores, like Google play.