Kaspersky researchers have warned about an ongoing cyberespionage campaign that employed malicious spying apps hosted by Google Play for spying and stealing Android user data. The campaign, dubbed PhantomLance, has been active for at least four years and bears bears the marks of Vietnam-linked hacking group OceanLotus, also known as APT32, or CobaltKitty.
The researchers say they have found multiple code similarities with the previous Android campaign, as well as macOS backdoors, infrastructure overlaps with Windows backdoors and a few cross-platform resemblances.
The malware was initially discovered by Dr. Web researchers in July, 2019, in Google Play. The backdor trojan was distributed under the guise of the OpenGL Plugin application and allowed its operators to remotely control the infected Android devices and spy on users.
Intrigued by the level of sophistication of the malware, Kaspersky researchers started their own investigation, which revealed dozens of related samples that had been appearing in the wild since 2016 and had been deployed in various application marketplaces including Google Play.
“Functionality of all samples are similar – the main purpose of spyware was to gather sensitive information. While the basic functionality was not very broad, and included geolocation, call logs, contact access and SMS access, the application could also gather a list of installed applications, as well as device information, such as model and OS version,” the researchers said.
“Furthermore, the threat actor was able to download and execute various malicious payloads, thus, adapting the payload that would be suitable to the specific device environment, such as Android version and installed apps. This way the actor is able to avoid overloading the application with unnecessary features and at the same time gather information needed.”
The malware was spread via application marketplaces, such as Google Play and multiple third-party app stores that, unlike Google Play, still host malicious apps.
In order to avoid detection, the initial versions of the malicious apps uploaded to Android app stores did not contain malicious code, however, follow-up versions were upd ated with both malicious payloads and code to drop and execute payloads.
The experts observed around 300 infection attacks on Android devices in India, Vietnam, Bangladesh, Indonesia since 2016.
“Based on the complete analysis of previous campaigns, with the actors’ interests in victims located in Vietnam, infrastructure overlaps between PhantomLance and OceanLotus for Windows, multiple code similarities between an old Android campaign and MacOS backdoors, we attribute the se t of the Android activity (campaign 2014-2017 and PhantomLance) to OceanLotus with medium confidence,” the researchers concluded.