A malicious campaign dubbed PhantomLance has been targeting users of Android devices with spyware payloads embedded in applications delivered via multiple platforms including Google’s Play Store and alternative Android app stores such as APKpure and APKCombo.
According to a report published earlier by Kaspersky researchers, PhantomLance overlaps with previous campaigns targeting Windows and macOS attributed to OceanLotus, an advanced persistent threat group also tracked as APT32 and believed to be Vietnam-based.
“[The] campaign has been active since at least 2015 and is still ongoing, featuring multiple versions of a complex spyware – software created to gather victims’ data – and smart distribution tactics, including distribution via dozens of applications on the Google Play official market,” Kaspersky says.
Focused on collecting and stealing information
Kaspersky’s researchers discovered the targeted campaign after Doctor Web published a report on a new backdoor trojan they found on the Play Store, a malware that was a lot more complex than the usual malware used by cybercriminals for stealing financial information and credentials from Android users in Southeast Asia.
Antiy Labs researchers also published a report describing the Android malware campaign in May 2019, attributing it to the OceanLotus hacking group.
“It is important to note that according to our detection statistics, the majority of users affected by this campaign were located in Vietnam, with the exception of a small number of individuals located in China,” Kaspersky says.
Similar malware samples were later discovered by Kaspersky in multiple apps distributed on the Play Store and tied by the researchers to the PhantomLance campaign, a targeted series of attacks aiming to harvest information including geolocation, call logs, contacts, text messages, list of installed apps, and device information.
“Furthermore, the threat actor was able to download and execute various malicious payloads, and thus adapt the payload that would be suitable to the specific device environment, such as the Android version and installed apps,” Kaspersky’s report reads.
“This way, the actor was able to avoid overloading the application with unnecessary features and at the same time gather the desired information.”
Distributed via multiple Android marketplaces
Among the Android applications containing samples of PhantomLance malware, Kaspersky provides the following list of apps that were distributed and later removed from the Play Store by Google in November 2019.
| Package name | Google Play persistence date (at least) |
| com.zimice.browserturbo | 2019-11-06 |
| com.physlane.opengl | 2019-07-10 |
| com.unianin.adsskipper | 2018-12-26 |
| com.codedexon.prayerbook | 2018-08-20 |
| com.luxury.BeerAddress | 2018-08-20 |
| com.luxury.BiFinBall | 2018-08-20 |
| com.zonjob.browsercleaner | 2018-08-20 |
| com.linevialab.ffont | 2018-08-20 |
While the backdoored apps discovered by Kaspersky have already been removed from the Play Store, the situation is not the same in the case of the unofficial marketplaces since the PhantomLance spyware is still hosted and distributed through stores available at https://apkcombo[.]com, https://apk[.]support/, https://apkpure[.]com, https://apkpourandroid[.]com, as well as and many others.
To avoid getting their apps tagged and blocked from being listed, the OceanLotus hackers would first upload clean app versions without any malicious payloads or the necessary code to dropping them on compromised devices — this behavior was confirmed after discovering versions of the same app, with and without an embedded payload.
“These versions were accepted because they contained nothing suspicious, but follow-up versions were updated with both malicious payloads and code to drop and execute these payloads,” the researchers reveal.
The fact that the malicious apps are still available through the third-party marketplaces is easy to explain: since most of these stores work by mirroring the official Play Store, they also grabbed and listed the malicious apps.
Five-year long OceanLotus campaign
“PhantomLance has been going on for over five years and the threat actors managed to bypass the app stores’ filters several times, using advanced techniques to achieve their goals,” Alexey Firsh, security researcher at Kaspersky’s GReAT, said.
“We can also see that the use of mobile platforms as a primary infection point is becoming more popular, with more and more actors advancing in this area.”
APT32 is a Vietnamese-backed advanced persistent threat group known to have targeted foreign companies investing in multiple Vietnam industry sectors.
The hacking group is also known to have been behind attacks targeting research institutes from around the world, media orgs, various human rights orgs, and even Chinese maritime construction firms. [1, 2, 3, 4, 5, 6, 7]
More recently, the Vietnamese threat actors carried out spear-phishing attacks targeting China’s Ministry of Emergency Management and the government of Wuhan province with the end goal of collecting intelligence on the ongoing COVID-19 crisis.
