The PhantomLance hacking group is an organization that has caught the attention of cybersecurity researchers recently. After studying the activity of the PhantomLance group, malware experts have found that this organization has carried out a campaign lasting four years, whose goal was the distribution of Trojans targeting Android devices.
The Trojan in question has been dubbed the PhantomLance threat, and it appears to be spreading via fraudulent Android applications. The applications associated with the PhantomLance Trojan were hosted on third-party application stores, as well as the official Google Play Store. It is not uncommon for malware to bypass the security checks of the Google Play Store, so do not trust blindly applications hosted there. The applications that serve to distribute the PhantomLance Trojan market themselves as enhancing tools that will improve the performance of the users’ devices. The fake applications also claim to offer users helpful updates and other services that will help them maintain their devices. However, the end goal of these applications is not to provide valuable services to their users but to install the PhantomLance Trojan on compromised hosts.
Among the bogus applications propagating, the PhantomLance Trojan is an application disguised as an Open GL plugin. The plugin in question is meant to enable users to play mobile games that are not available to most individuals. This application has generated a significant number of downloads and is one of the most popular dodgy applications that are spreading the PhantomLance malware.
The PhantomLance Trojan allows its operators to obtain a large amount of information from the infected hosts, including:
- Text messages.
- Contacts list.
- Call history.
- Hardware details.
- Software details.
The PhantomLance malware is able to perform reconnaissance operations and monitor the activity of the victim. Any valuable information gathered will be exfiltrated to the C&C (Command & Control) server of the attackers. Last but not least, the PhantomLance Trojan can serve as a backdoor that allows the attackers to plant additional malware on the infected Android devices.
To escape the prying eyes of cybersecurity experts, the authors of the PhantomLance Trojan have made sure not only to encrypt but also obfuscate the code of the threat heavily. Therefore, the job of malware researchers becomes far more challenging. This, combined with the fact that the PhantomLance Trojan operation has been ongoing for four years, means that the authors of this threat are highly-skilled and very experienced in the field of Android malware, certainly.
Android users need to be very careful when installing new software, as even applications hosted on the official Google Play Store may be used as infection vectors for the distribution of malware. It is best to trust a reputable anti-virus application to protect your Android device from threats like the PhantomLance Trojan.