[dahart]

Yes it is possible to install a back door, after you've gained access. I'm fine with calling GhostCtrl a phishing attack that installs a back door. The big question here is which part of the attack elevates access to user or root level?

The miscommunication here between us is that you're looking at what GhostCtrl does after it already gained access. Because the first point of contact, the initial entry point, is using the security systems as they were designed to be used, and tricking the user into granting access to the malicious software, the attack as a whole is a phishing attack. As I understand it, the payload is not by itself elevating access, it is using access the user granted to do bad things, not achieving a higher access level.

The payload of an attack of any sort is not commonly understood to be the "back door", I think you're slightly off the mark there. You're not wrong, but you're going to have trouble talking to other people if you keep insisting on this, because the common understanding of a back door is that it's a way of getting in, by bypassing security. It's normally defined as a way of initiating an attack, not the malicious result of an already complete attack.

The only way to define a back door as you have is to have another attack in front of it. If the back door is the payload, then you have to deliver and execute the payload somehow. In the case of GhostCtrl, that mechanism is phishing.

[fulafel]

If you scroll back, this started with "Why is this being called a backdoor? Is there any indication that that's what it is?". I linked to a glossary entry I think reflects the common usage in malware context.

Any payload is not a back door, payloads can be also ransomware, ddos bots, etc.

[dahart]

Okay, I think we're agreeing on the definition. You do agree that this particular backdoor depends on a successful phishing attack, right?

FWIW, I don't think that glossary entry you linked is very good. It calls a backdoor an application, but a backdoor is not always an application -- which I think you already know & mentioned in this thread. A RAT (remote access tool) is definitely not synonymous with backdoor in the common understanding. A backdoor can also be an open port, a bad password, or a variety of other entry methods. Wikipedia's entry on backdoor is better than the one you linked. https://en.m.wikipedia.org/wiki/Backdoor_(computing)

If a backdoor were always an application, and that was the common definition, then I think the question above wouldn't have been asked. One problem is that backdoor sometimes implies a vulnerability exists before any malware is installed. To call something a backdoor can send the wrong message about what someone concerned about this should do to mitigate the risks. Knowing it's a phishing attack is pretty important because it means you can and should be suspicious of apps asking for credentials and permissions. If you think it's primarily a back door, you might wrongly assume that you need to update a security patch, or that there's nothing you can do to reduce your risks.

This is why I believe @debatem1's question is reasonable and agree with it - to title this a backdoor is technically true, but it seems misleading.

[fulafel]

I think this is going around in circles: we already covered the backdoor term in malware vs product name in contexts, and the payload vs phishing thing. If you Google for backdoor payloads, you see that it is common usage.