Researchers from security firm Kaspersky have revealed a dangerous malware campaign called PhantomLance which has been apparently lurking in Google’s official Play Store marketplace.
Dozens of malicious apps infected with the malware are being distributed via the Play Store and alternate app stores such as APKpure and APKCombo, often targeting users to spy on their habits and steal data.
Kaspersky says that this malware campaign has been live for over 4 years, and is likely the work of the OceanLotus advanced persistent threat (APT) group, thought to be based out of Vietnam.
The malware mainly targets users in Vietnam, Bangladesh, Indonesia, and India to collect information such as location data, call logs and contacts, and can even monitor SMS activity, and read the phone’s OS version, model and list of installed applications.
This campaign was discovered after Kaspersky came across a Dr Web report from 2019 concerning a Play Store app that came with a backdoor allowing a Trojan to install malware and exfiltrate data from the device.
The Russian security firm found traits of malware in multiple applications distributed via the Play Store. These apps are said to come with a high level of encryption and were more complex than most other malware used by cyber thugs to steal personal and financial data.
“PhantomLance has been going on for over five years and the threat actors managed to bypass the app stores’ filters several times, using advanced techniques to achieve their goals,” said Kaspersky researcher Alexey Firsh.
According to the report, the “the threat actor was able to download and execute various malicious payloads, and thus adapt the payload that would be suitable to the specific device environment, such as the Android version and installed apps.”
“This way, the actor was able to avoid overloading the application with unnecessary features and at the same time gather the desired information.” It further adds.
The hackers would first upload a clean copy of an application on the Play Store and other app repositories. Once the application was approved, the follow-up versions contained malicious payloads or requisite codes to install apps in the background on the compromised device.