Spyware “legally” distributed

Spyware “legally” distributed
5 star(s) from 1 votes

Spyware has been “legally” distributed through the official Android store for years

Kaspersky lab discovered a company which was distributing spyware, including through Google Play.

The spyware through the official sources

For several years, Android users have been the targets of attacks by the PhantomLance malware campaign, whose operators used Google Play to distribute apps containing the malicious modules.

According to Kaspersky Lab, the campaign has been running since at least 2015 and continues to this day. Its operators use many different versions of their malware, which was distributed through dozens of apps, including those published on Google Play. Some infected apps were also found in unofficial app stores APKpure and APKCombo.

"One of the last samples was discovered in the official app store on November 6, 2019. We informed Google about the malware, and it was soon eliminated, " Kaspersky Lab said in its publication. However, some of the PhantomLance malware is still found in unofficial stores.

The main purpose of the malware is to collect data: it displays geolocation information, call logs, contact list, list of installed applications, operating system version, device ID, and so on. If necessary, the malware downloads and installs additional modules, the set of which is determined by the OS version and information about installed applications.

The hackers' tactics are quite simple: initially, both official and unofficial stores approve a clean version of apps that are devoid of any malicious components. Malicious content, as well as plug-ins for loading and running on end devices, are added later.

"The fact that this tactic has demonstrated its effectiveness shows that Google Play's security tools need some improvement," said Mikhail Zaitsev, an information security expert at SEC Consult Services. - PhantomLance is clearly not the first to use this method. The fact that such ware could not have been detected for so long is due to the very low number of infections, which is probably due to the specificity of malicious applications."

App stores like apkcombo.com, apk.support, apkpure.com, apkpourandroid.com for the most part “mirror” Google Play, so they end up having everything that gets to the official app store. However, not everything is deleted.

The infrastructure of a predecessor

According to Kaspersky Lab, PhantomLance uses the same infrastructure that was used for attacks by the APT group OceanLotus (aka APT32), presumably of Vietnamese origin.

The same opinion is shared by the Antiy Labs, which in May 2019 detected a malicious program for Android that was later associated with PhantomLance.

OceanLotus' operations were mostly phased out by 2018. To date, Kaspersky Lab has managed to detect about 300 cases of infections with PhantomLance in India, Bangladesh, Indonesia, as well as Iran, Algeria, South Africa, and others.

The targets of attacks are mainly foreign companies that invest in Vietnam's key industrial sectors. Human rights organizations, research institutions, and media conglomerates are also being targeted. Some shipbuilding corporations in China were also attacked.

Contact Information

Other Information

Other Categories:

Technology » Internet

Related Listings:
Kaspersky warned about migration of Russian IT specialists abroad
Experts named Android apps to delete


Featured Listings