Sun. Jun 7th, 2020

Kaspersky: PhantomLance malware has been existed on Google Play for at least four years

2 min read

Kaspersky reported that professional hacker groups have infiltrated Google Play since at least 2016, using the official Play Store to spread malicious programs with backdoor functions and stealing sensitive user information. Kaspersky identified 8 apps dating back to 2018. Archive search and other methods show that hacker groups have sneaked into Google Play since at least 2016.

PhantomLance
Image: Kaspersky

The domain name of the command control server used by the malicious program was registered in 2015. The code and command control server is associated with the hacking organization OceanLotus (aka APT32, APT-C-00, and SeaLotus), so the researchers believe that these malicious programs are professional hacking organizations’ work.

Attackers used multiple methods to evade Google’s security checks. One way is that the initially accepted version has no malicious features, but subsequent updates have added backdoors. Even the original version does not require permissions but uses hidden code to request permissions. Researchers explain “No suspicious permissions are mentioned in the manifest file; instead, they are requested dynamically and hidden inside the dex executable. This seems to be a further attempt at circumventing security filtering.”

During our extensive investigation, we spotted a certain tactic often used by the threat actors for distributing their malware. The initial versions of applications uploaded to app marketplaces did not contain any malicious payloads or code for dropping a payload. These versions were accepted because they contained nothing suspicious, but follow-up versions were updated with both malicious payloads and code to drop and execute these payloads. We were able to confirm this behavior in all of the samples, and we were able to find two versions of the applications, with and without a payload,” Kaspersky added. Google has removed these apps after receiving the report.