A new malicious campaign on the Google Play Store targeting Android devices dubbed PhantomLance has been discovered. According to the security researchers, the campaign has been active since at least 2015 and is ongoing. The campaign features multiple versions of sophisticated spyware that was created to gather the data of victims and targeted devices.
Another hallmark of the campaign is that it used smart distribution tactics such as distribution via dozens of applications on the Google Play store, according to researchers at Kaspersky. The spyware campaign also used alternative Android app stores for distribution such as APKpure and APKCombo. Kaspersky researchers say that the PhantomLance spyware overlapped with other attacks that targeted Windows and MacOS that were attributed toa hacker group known as OceanLotus believed to be based in Vietnam that was also tracked as APT32.
Researchers say that the malware used in this particular campaign is a lot more complicated than the typical malware used by cybercriminals to steal financial information and credentials from Southeast Asian Android users. The majority of users impacted by this campaign are located in Vietnam, with a small number located in China. Information that the malware campaigns are targeting included information about geolocation, call logs, contacts, text messages, lists of installed apps, and device information.
Kaspersky researchers say that the threat actor was able to download and execute various malicious payloads allowing it to adapt the payload making it suitable to a specific environment. Researchers say that the methods allow the threat actor to avoid overloading the application with unnecessary features while gathering the desired information. The researchers do say that the backdoor apps that they discovered have been removed from the Play Store, but they persisted in the unofficial app marketplaces. These apps were first uploaded without any malicious payloads or code required to drop the malicious payloads on the compromise devices. The malicious behaviors were added via updates. Malware is a problem for all devices and is a big issue for email users. Google said not long ago that it blocks 18 million malicious emails per day.