PhantomLance Malware Campaign Has Taken Over Android Play Store

Once again, Android users need to be careful while downloading apps from the Play Store. Researchers have discovered a wave of malicious apps on the Play Store constituting the PhantomLance malware campaign.

PhantomLance Malware Campaign On Android

Reportedly, security researchers from the Kaspersky Labs have discovered a malware campaign active on Google Play Store. Dubbed PhantomLance, the malware campaign has existed in some form for about four years via various malicious apps.

Elaborating their findings in a blog post, the researchers stated that they found dozens of malicious apps carrying malware similar to what Dr. Web discovered in 2019. Specifically, they found multiple versions of the malware that predominantly served as spyware exfiltrating data from the device. As stated by the researchers,

While the basic functionality was not very broad, and included geolocation, call logs, contact access and SMS access, the application could also gather a list of installed applications, as well as device information, such as model and OS version.

The attackers could also download and execute payloads according to the target device. This would help them not to flood the device with unnecessary features whilst still exfiltrating the data.

The researchers noticed that hackers primarily used various applications to spread malware. These include apps like Browser Cleaner, Browser Turbo, OpenGL, and many others.

For successful exploitation, the attackers acted smartly to deploy clean app versions initially on the Play Store. Once the apps received approvals, they then updated the apps with malicious payloads. Therefore, the researchers could easily find two versions of all suspicious apps, one with a payload, and one clean version.

To add authenticity to their profiles, the attackers created GitHub accounts with fake end-user license agreement (EULA).

During their study, the researchers could carefully link the malware campaign with OceanLotus APT (or APT32) active since 2013. Detailed technical analysis of the malware is available in the researchers’ post.

Malware Persists On Third-Party Stores

Kaspersky found that the malware campaign primarily targeted the South Asian region, such as countries like India, Bangladesh, Nepal and Myanmar, and some other regions including Vietnam, Indonesia, Iran, Algeria, South Africa, and Malaysia.

Upon finding the malicious apps, the researchers notified Google who then removed the apps from the Play Store.

However, the malware continues to exist on third-party app stores. Users must remain vigilant when downloading apps, even from the Play Store. Ideally, users should avoid any app that does not belong to legitimate developers.

Let us know your thoughts in the comments.

Related posts

Water Facilities Must Secure Exposed HMIs – Warns CISA

Microsoft December Patch Tuesday Arrived With 70+ Bug Fixes

NachoVPN Attack Risks Corporate VPN Clients