Application Security , Cyberwarfare / Nation-State Attacks , Fraud Management & Cybercrime

Spyware Campaign Leverages Apps in Google Play Store

Kaspersky: 'PhantomLance' Campaign Has Targeted Android Users for Five Years
Spyware Campaign Leverages Apps in Google Play Store

Over the past five years, a sophisticated spyware campaign has been targeting Android users through Trojan-laced apps in the Google Play store that are disguised as various plugins, browser cleaners and application updaters, according to Kaspersky researchers.

See Also: OnDemand: 2024 Google Cloud Partner of the Year - Application and Infrastructure Security

Dubbed "PhantomLance," this campaign involves dozens of malicious apps that were offered on Google Play, as well as other app stores, such as APKpure, that offer Android apps. Those behind the campaign are taking steps to keep these malicious apps hidden from the security features built into the Google Play store, the researchers report.

The developers behind these malicious apps created fake profiles on sites such as GitHub to lend a layer of legitimacy to the applications they were distributing. In addition, many of the early versions of these apps did not contain malicious payloads, which helped the apps bypass security screening features, Kaspersky researchers say.

Once downloaded, the spyware can gather broad information about the targeted Android user, including geolocation, call logs, contact access and SMS access, Kaspersky reports. The malware also can gather a list of other installed applications on the device as well as details about the smartphone model and version of the operating system in use.

The ongoing PhantomLance campaign mainly targets Android users in Southern Asia, including India, Vietnam, Bangladesh and Indonesia. The Kaspersky researchers note that they found about 300 attempted infections on mobile devices related to this campaign since 2016.

"PhantomLance has been going on for over five years and the threat actors managed to bypass the app stores' filters several times, using advanced techniques to achieve their goals," Alexey Firsh, security researcher at Kaspersky, notes in the report. "We can also see that the use of mobile platforms as a primary infection point is becoming more popular, with more and more actors advancing in this area."

Ongoing Campaign

The Kaspersky researchers first discovered the PhantomLance campaign after Doctor Web, another security firm, published a report in July 2019 about a backdoor Trojan that their researchers found in the Google Play store. In addition, BlackBerry researchers found evidence of some of this malware planted in the Google Play store in 2019, which they called OceanMobile.

That Trojan was more complex than the malware typically used by cybercriminals for stealing financial information and credentials from Android users, according to the Kaspersky report. That malware was disguised as an app for OpenGL ES updates, which helps render 2D and 3D graphics. Instead of looking for updates, however, this app installed a backdoor Trojan that would start gathering details about the device and its user, according to the report.

As the Kaspersky researchers looked closer, they found dozens of related apps using similar code. Some of these dropped their payloads immediately onto devices, while others used delaying techniques designed to bypass security features. Many of these apps were disguised as Adobe Flash plugins, browser and device cleaners and updaters for Android devices.

Spyware designed as Android app (Source: Kaspersky)

"Our main theory about the reasons for all these versioning maneuvers is that the attackers are trying to use diverse techniques to achieve their key goal, to bypass the official Google marketplace filters," according to the report.

As Kaspersky researchers found these malicious apps, they informed various application stores, including Google Play, which then removed these applications, according to the report. But the operators of this campaign are suspected of adding new malicious apps to other app stores even when older ones are taken down, researchers note.

"But more importantly, the infrastructure established by this threat actor for this specific campaign continues to work non-stop, showing that they have not interrupted their operations," Firsh tells Information Security Media Group.

Ocean Lotus Link?

The Kaspersky researchers suspect that a group backed by a nation-state group is behind the development and disruption of these apps due to the level of sophistication and techniques used to bypass security features.

Kaspersky reports that it has "medium confidence" that this ongoing campaign is the work of an advanced persistent threat group called Ocean Lotus, which is also referred to as APT32. FireEye recently reported that this group apparently targeted government agencies in China, looking for information about that country's COVID-19 response (see: Hackers Targeted Chinese Agencies for COVID-19 Intel: Report ).

Ocean Lotus, which has been active since 2014, apparently has ties to the government of Vietnam, according to FireEye and other security researchers.

In its report, Kaspersky researchers note that they found that some of the code used by this hacking group to create backdoors in macOS is similar to code found in the spyware uncovered in the app stores. In addition, the researchers found command-and-control servers as well as subdomains used by Ocean Lotus in previous campaigns that relate to the PhantomLance operation.

This article was updated to include additional information from BlackBerry.

About the Author

Apurva Venkat

Apurva Venkat

Special Correspondent

Venkat is special correspondent for Information Security Media Group's global news desk. She has previously worked at companies such as IDG and Business Standard where she reported on developments in technology, businesses, startups, fintech, e-commerce, cybersecurity, civic news and education.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.