Kaspersky has spotted an ongoing campaign, dubbed PhantomLance, that employed malicious spying apps hosted by Google Play.
The campaign has been active for at least four, experts discovered “dozens” of malicious apps in Google Play, some of which included a new Trojan. Experts also discovered malicious apps on the APK download site APKpure.
In 2019, researchers from Dr. Web discovered a backdoor trojan in Google Play, which appeared different from other threats due to its level of sophistication for this reason Kaspersky investigated it. The malware was an info stealer and according to the researchers, it was part of a long-term campaign, tracked as “PhantomLance” that has been active at least since December 2015.
“We found dozens of related samples that had been appearing in the wild since 2016 and had been deployed in various application marketplaces including Google Play.” reads the analysis published by Kaspersky. “One of the latest samples was published on the official Android market on November 6, 2019. We informed Google of the malware, and it was removed from the market shortly after.”
The Trojan was hidden in an application on Google Play that masqueraded as an OpenGL Plugin that once executed simulates a check for new versions of OpenGL ES, but actually installs a backdoor.
Kaspersky experts found a similar sample on Google Play, it implements high levels of encryption, furthermore, the malicious code was able to download and execute additional malicious payloads that would be suitable to the specific device environment (i.e Android version, installed apps).
The PhantomLance malware implements classic spyware functionalities, it could exfiltrate user data, phone call logs, SMS messages, contacts, and GPS data. The malicious code is also able to deploy additional malicious payloads.
Kaspersky believes that the campaign was carried out by an Advanced Persistent Threat (APT) group, experts discovered multiple overlaps with campaigns attributed to the OceanLotus APT. Overlaps include multiple code similarities with the previous Android campaign, as well as macOS backdoors, and the infrastructure.
“While analyzing the С2 server infrastructure, we quickly identified multiple domains that shared similarities with previous ones but were not linked to any known malware samples. This allowed us to uncover more pieces of the attackers’ infrastructure.” continues the analysis.
OceanLotus APT (also known as APT32 or Cobalt Kitty) has been active since at least 2013, it is a state-sponsored hacking group that targeted organizations across multiple industries and have also targeted foreign governments, dissidents, and journalists.
Recently the Vietnam-linked cyberespionage carried out hacking campaigns against Chinese entities to collect intelligence on the COVID-19 crisis
For most of malware deployment, the threat actors built a fake developer profile by creating a Github account that contains only a fake end-user license agreement (EULA).
The researchers noticed that in order to avoid detection, the first version of the malicious app initially uploaded to Android stores (Google Play or APKpure) did not contain malicious code. Later the attackers update the applications with the code that acts as a dropper for additional payloads.
Experts observed around 300 infection attacks on Android devices in India, Vietnam, Bangladesh, Indonesia since 2016.
Kaspersky reported his findings to Google that has since removed the malicious apps from the official store.
“Based on the complete analysis of previous campaigns, with the actors’ interests in victims located in Vietnam, infrastructure overlaps between PhantomLance and OceanLotus for Windows, multiple code similarities between an old Android campaign and MacOS backdoors, we attribute the set of the Android activity (campaign 2014-2017 and PhantomLance) to OceanLotus with medium confidence.” concludes Kaspersky that also published Indicators of Compromise (IoCs) in its analysis.
Please give me your vote for European Cybersecurity Blogger Awards – VOTE FOR YOUR WINNERS
(SecurityAffairs – PhantomLance, hacking)