Kaspersky uncovered PhantomLace malware that bypassed Google Play filters and preyed mainly on Android users in Southeast Asia
Kaspersky uncovered PhantomLance malware that bypassed Google Play filters and preyed mainly on Android users in Southeast Asia.
“Dozens” of malicious apps were discovered by experts in Google Play, which are being disturbed through the Play Store and alternate app stores such as APKpure and APKCombo and other App markets.
In July 2019, Dr Web reported a backdoor trojan in Google Play, allowing it to install malware and exfiltrate data from the device. This sophisticated behaviour led Kaspersky to dig more about it.
The PhantomLance malware implements spyware functionalities, it could gather and exfiltrate information (contacts, text messages, call history, device location and installed applications), file download and execution, file upload, shell command execution.
According to Kaspersky, this malware campaign was existing for over 4 years and is likely to be the work of OceanLotus advanced persistent threat (APT) group.
OceanLotus APT is a state-sponsored hacking group that has been active since 2013. It has targeted organisations across multiple industries including foreign government, dissidents and journalists.
“The initial versions of applications uploaded to marketplaces did not contain any malicious payloads or code for dropping payload,” said Kaspersky.
“These versions were accepted because they contained nothing suspicious, but follow-up versions were updated with both malicious payloads and code to drop and execute these payloads. We were able to confirm this behaviour in all of the samples, and were able to find two versions of the applications, with or without a payload.”
As soon as Kaspersky reported his findings to Google, it removed the malicious apps from the official store.
Since 2016, there have been around 300 infection attacks targeting Android devices in India, Vietnam, Bangladesh and Indonesia. Vietnam was hit the most, as some malicious applications were made exclusively in Vietnamese.
“This campaign is an outstanding example of how advanced threat actors are moving further in deeper waters and becoming harder to find,” said Alexey Firsh, security researcher at Kasperky’s Global Research and Analysis Team(GReAT).
“We can also see the use of mobile platforms as a primary infection point is becoming more popular, with more and more actors advancing in this area. These developments underline the importance of continuous improvement of threat intelligence and supporting services, which could help in tracking threat actors and findings overlaps between various campaigns.”
For the latest cyber threats and the latest hacking news please follow us on Facebook, Linkedin, and Twitter.Y
You may be interested in reading: Private Zoom Video Recordings Exposed Online