Researchers at Kaspersky discovered an Android malware campaign targeted towards specific Southeast Asian countries. This campaign’s named PhantomLance and possibly powered by an APT group from the Vietnam government. Researchers say the campaign is actively spread through Google’s Playstore, under various utility apps. Further, it’s been active since 2016 and is still running now even after those suspicious apps being removed by Google.
Bypassing Google’s filters isn’t that easy. But a sophisticated malware gang has done it anyway by faking Google’s Playstore in many ways. An active campaign discovered by Kaspersky researchers, reveals several apps in Google Playstore, and a third-party app repository called APKpure, have been distributing malware to your Android phone. This campaign’s been active since 2016 and is targeted to only specific countries.
As usual, these malicious apps are intended to steal sensitive information by planting backdoors in the user’s phone. This starts with luring users to install the apps, disguised as some app cleaners, flash plug-ins, or updates. Upon installation, they collect data regarding the device model, OS version, SMS messages, call logs, contacts, and GPS location. All these will be sent to the hacker’s C2 server.
There are several variants of this malware detected, all belonging to the same gang, PhantomLance. The author of this campaign is so advanced that, the app, upon reading the device, dump payloads accordingly. While some have the payload right in, others have a backdoor to retrieve a payload later.
So an APT?
Targeting specific countries and planting backdoors for information are few hints made researchers to believe this campaign is led by an APT group. This was considered to be APT32 or OceanLotus, which is by the Chinese or Vietnam governments.
The targeted users are from Vietnam, Bangladesh, India, and Indonesia. Some infections were also found in South Africa, Nepal, Algeria, Iran, Malaysia, and Myanmar. Google has removed these malicious apps upon reporting, but the campaign is still active on those infected devices, says researchers.