Dozens of Android apps, including several available on the Play Store, were found to be running targeted attacks in over 300 instances on devices in India, Vietnam, Bangladesh, Indonesia, Nepal, Myanmar, Malaysia, Iran, Algeria and South Africa.
Dubbed Phantomlance by the researchers, the malicious apps act as spyware that can be used to retrieve information from the targeted phone, including GPS data, messages, call logs, contacts and information about the smartphone such as make, model and OS.
Google was informed about the malware-ridden apps and they were removed from the Play Store marketplace shortly thereafter.
According to the researchers at Kaspersky, the apps have been appearing since 2016 in various app marketplaces like APKpure and were found to have overlaps with OceanLotus APT campaigns, which are believed to be state-sponsored attacks backed by the Vietnamese government.
“Using our malware attribution technology, we can see that the PhantomLance payloads are at least 20% similar to the ones from the old OceanLotus Android campaign. We found multiple code similarities with the previous Android campaign, as well as macOS backdoors, infrastructure overlaps with Windows backdoors and a few cross-platform resemblances.” researchers at Kaspersky stated.
One of the apps found by the researchers was published as recently as November 2019. The applications mostly charade as flash plugins, cleaners, updaters as well as for local searches. Apart from the targets, the malicious apps would’ve most likely also infected many other users as they were available for download on public platforms.
The researchers also pointed out that the developers of these malicious apps used fake profiles on Github accompanied by a fake generic end-user license agreement (EULA) to upload the spyware apps to Play Store. They also pointed out that to evade detection, the initial versions the apps uploaded to Play Store and third-party stores like APKpure didn’t contain malicious code or a code for dropping malicious payloads later. However, malicious codes were added to the apps during later updates.
“Third-party marketplaces like those mentioned in the table above often serve as a mirror for Google Play: they simply copy applications and metadata from Google Play to their own servers. Therefore, it is safe to assume that the samples listed were copied from Google Play as well.”