Hacker group used Google Play to distribute spyware for years

The apps had no malicious payloads, to begin with, and were updated with malicious software down the road.

@ShaneMcGlaun
Published Wed, Apr 29 2020 10:03 AM CDT   |   Updated Sat, Aug 8 2020 10:29 AM CDT

A new malicious campaign on the Google Play Store targeting Android devices dubbed PhantomLance has been discovered. According to the security researchers, the campaign has been active since at least 2015 and is ongoing. The campaign features multiple versions of sophisticated spyware that was created to gather the data of victims and targeted devices.

Hacker group used Google Play to distribute spyware for years 01 | TweakTown.com

Another hallmark of the campaign is that it used smart distribution tactics such as distribution via dozens of applications on the Google Play store, according to researchers at Kaspersky. The spyware campaign also used alternative Android app stores for distribution such as APKpure and APKCombo. Kaspersky researchers say that the PhantomLance spyware overlapped with other attacks that targeted Windows and MacOS that were attributed toa hacker group known as OceanLotus believed to be based in Vietnam that was also tracked as APT32.

Researchers say that the malware used in this particular campaign is a lot more complicated than the typical malware used by cybercriminals to steal financial information and credentials from Southeast Asian Android users. The majority of users impacted by this campaign are located in Vietnam, with a small number located in China. Information that the malware campaigns are targeting included information about geolocation, call logs, contacts, text messages, lists of installed apps, and device information.

Kaspersky researchers say that the threat actor was able to download and execute various malicious payloads allowing it to adapt the payload making it suitable to a specific environment. Researchers say that the methods allow the threat actor to avoid overloading the application with unnecessary features while gathering the desired information. The researchers do say that the backdoor apps that they discovered have been removed from the Play Store, but they persisted in the unofficial app marketplaces. These apps were first uploaded without any malicious payloads or code required to drop the malicious payloads on the compromise devices. The malicious behaviors were added via updates. Malware is a problem for all devices and is a big issue for email users. Google said not long ago that it blocks 18 million malicious emails per day.

Buy at Amazon

Samsung Galaxy S20+

TodayYesterday7 days ago30 days ago
$999.99$999.99$800.90
* Prices last scanned on 9/23/2020 at 4:37 pm CDT - prices may not be accurate, click links above for the latest price. We may earn an affiliate commission.

Shane is a long time technology writer who has been writing full time for over a decade. Shane will cover all sorts of news for TweakTown including tech and other topics. When not writing about all things geeky, he can be found at the track teaching noobs how to race cars.

Related Tags

Newsletter Subscription

Latest News

View More News

Latest Reviews

View More Reviews

Latest Articles

View More Articles