PhantomLance Campaign Breaches Google Play Store

Security researchers recently discovered a malware campaign targeting Android devices directly through apps in the Google Play Store, which they dubbed PhantomLance.

It was revealed that a significant number of apps that were being distributed through the Play Store, as well as other app stores like APKCombo and APKpure were infected with malicious software that was used to spy on people and steal their sensitive data.

According to researchers from Kaspersky, the malware campaign has been ongoing for at least four years. It is likely said to be the work of the OceanLotus advanced persistent threat (APT) group, also known as APT32. The group is suspected to be operating out of Vietnam, and some believe that it has a connection to the Vietnamese government, due to its targets.

The PhantomLance spyware was first detected in 2019, targeting users in Bangladesh, India, Indonesia, and Vietnam, and collecting information such as contacts, call logs, location data, SMS activity, device specifications, and a list of all installed applications.

At first, the researchers discovered an app on the Play Store that provided a backdoor, which allowed attackers to install malware and exfiltrate data from Android devices. Upon further examination, the analysts found similarities in multiple other applications, which distinguished themselves with higher levels of encryption and complexity, compared to most other info-stealing malware.

Security researcher Alexey Firsh commented, saying: ''PhantomLance has been going on for over five years and the threat actors managed to bypass the app stores' filters several times, using advanced techniques to achieve their goals.''

The hackers usually uploaded an initial version of a legitimate-looking app to the Play Store, using a bogus GitHub creator profile – for added authenticity. Once the app was accepted and cleared from all security checks, the attackers would update it with additional malicious features and requests for access to valuable information on the infected devices.

The capabilities of the malicious apps varied, as they were custom-tuned for the specific geographical region in which they were used. This allowed the threat actors to avoid overloading the apps with any unnecessary features while managing to gather all the information that they managed to access.

The OceanLotus group has been active since at least 2013 and has previously been linked to several reconnaissance campaigns, some of which targeted the Chinese government. A recent report by FireEye noted that the Chinese Ministry of Emergency Management was recently targeted by OceanLotus, in an attempt to locate and steal data relating to the COVID-19 pandemic.

Google has responded to the PhantomLance campaign by removing the involved apps from their store. Still, copies of these applications can be found in mirror repositories, which ironically state that the installation package is virus-free, as it was downloaded directly from the Google Play Store.