[fulafel]

Not knowingly. Sounds like there is a phony app as a phishing style infection vector:

"The malware masquerades as a legitimate or popular app that uses the names App, MMS, whatsapp, and even Pokemon GO. When the app is launched, it base64-decodes a string from the resource file and writes it down, which is actually the malicious Android Application Package (APK)."

The user has a legitimate expectation that the app sandbox containment provided by the OS works and nothing bad should happen if s/he tries out the aforementioned apps.

This type of malware are commonly called backdoors, see eg. http://www.virusradar.com/en/glossary/backdoor

[dahart]

That link says right at the top, "The difference between this type of malware and a legitimate application with similar functionality is that the installation is done without the user’s knowledge."

I agree with @debatem1, this is not what "backdoor" commonly means, phishing does not count as "without the user's knowledge". Phishing is a trick to get in the front door.

[fulafel]

I'm not sure if you're serious, but in this case the user obviously was not intending to install a "legitimate application with similar functionality".

The user wanted to install a WhatsApp, Pokemon, etc type of application but was phished or otherwise deceived into completing the app installation interaction, and was left with no knowledge about the backdoor.

[dahart]

Right, you are correct, the user didn't want it. But the user's intent is not the line that distinguishes between phishing and a back door. Yes I'm serious. Phishing is a way to get people to do things they don't intend to do. Phishing involves a user interaction that is masquerading as legitimate, but is in fact malicious against the user's intent. Both phishing and back door attacks are always attempting to do something unwanted, and always intending to do it without the user knowing what's really happening. But the language "without the user's knowledge" referring to back doors means without any user interaction.

I'm sure there are gray areas and situations where it's hard to distinguish, but a backdoor is most commonly defined as not involving any user interaction. A phishing attack involves user interaction. The phishing attack can be used to install a backdoor for future attacks, but that's not what happened here. This phishing attack asked the user for permission to do the things it wants to do. That's the front door.

It's a guy pretending to be the mailman ringing the doorbell and asking if he can come in, then stealing stuff while he's there. The backdoor is a thief in a mask sneaking in a slightly open window at night when nobody's home. The difference is the fake mailman asked for permission. Even though he was fake. It wasn't my intent to let a thief in the house, it was my intent to let the mailman in, but I still got robbed.

Make sense now?

This distinction is important because there are things you can do to avoid phishing, as there are in this case, but there is nothing you can do to avoid a real back door, because it happens without any signaling at all, it happens without your knowledge. So back to @debatem1's point, this should have been called a sophisticated phishing attack, rather than being called, inaccurately, a back door attack.

[fulafel]

Backdoor is a type of persistent malware. Phishing is a way to infect a device with malware, be it a backdoor or ransomware or whatever.

There is always some infection vector associated with a backdoor.

[dahart]

Yes, right, that's correct. The infection vector itself is precisely what is known as the "back door". That's the point. Back doors are the vector, whereas with phishing the user is the vector.

The definition of a backdoor is an attack that bypasses security and doesn't require user input. The definition of phishing is an attack that requires user input, by tricking the user into using their own credentials to authorize access.

Back doors can be opened intentionally or unintentionally by whoever designed or setup the system, but they allow an attacker to get in without involving any input or action from a legitimate user of the system.

Phishing is a way to infect a device with malware by tricking the user into installing the malware. That's exactly what happened here. GhostCtrl is malware that infects via phishing, because it requires the user to authorize it, and it does not have an attack vector it can use without the user's authorization.

It sounds like we're all straightened out and in agreement?

[fulafel]

No, the infection vector, eg phishing or browser exploit or trojan or whatever, is what enables a back door to be installed. The back door is not an infection vector, it is the payload.

Yes, there is a type of back door that is factory installed as part of the dev process of an otherwise legitimate product. But in the context of malware, the backdoor is a payload that enables malicious remote access. Like the glossary entry I linked explains.