A long-running malware campaign whose activity dates back to 2016 has been using a sophisticated playbook of tricks to sneak trojanized Android apps into the Google Play Store as well as third-party marketplaces.
Researchers from Kaspersky have dubbed the campaign PhantomLance and, based on certain calling cards, have attributed it with medium confidence to the OceanLotus APT group, which experts typically associate with Vietnam-based cyber espionage actors. The findings appear to echo an October 2019 Mobile Malware and APT Espionage report from BlackBerry Cylance, which detailed an operation dubbed OceanMobile that spread malware via fake apps with elaborately crafted back stories.
In a company blog post, Kaspersky researchers Alexey Firsh and Lev Pikman report that the campaign's main payload is a backdoor that anti-virus firm Dr. Web first observed in Google Play in July 2019.
Kaspersky says it has found dozens of samples of the backdoor in the wild. It comes in three major versions and has been found packaged within malicious mobile apps that targets users based primarily in Southeast Asia. PhantomLance has been observed attacking devices based in India, Vietnam, Bangladesh, Indonesia, Nepal, Myanmar and Malaysia, the report states.
The backdoor essentially acts as spyware, allowing adversaries to gather sensitive information from geolocation data, call logs, contact access and SMS texts. It can also collect device information and execute additional malicious payloads based on the attackers' specific needs.
One of the latest samples was reportedly published in Google Play as recently as Nov. 6, 2019. According to Kaspersky, Google has since removed the trojanized apps, including one called "Browsers Turbo – Scanner and Cleaner," from its store, but the apps remain on other third-party sites.
PhantomLance executed a considerable number of clever maneuvers to smuggle malicious apps past Google Play defenses and fool users, the blog post explains. The use of multiple versions of the malware was one such strategy, for instance.
Additionally, the actors behind the operation attempted to create a credible-looking a developer profile via a GitHub account containing a fake end-user license agreement. And when they introduced their apps into marketplaces, they started with benign versions bearing no malicious attributes. Only later did they update the apps to deliver the backdoor payload.
That is not the extent of PhantomLance campaign's craftiness: "No suspicious permissions are mentioned in the manifest file; instead, they are requested dynamically and hidden inside the dex executable. This seems to be a further attempt at circumventing security filtering," the report explains. "In addition to that, there is a feature that we have not seen before: if the root privileges are accessible on the device, the malware can use a reflection call to the undocumented API function 'setUidMode' to get permissions it needs without user involvement."
Kaspersky says it tentatively tied the campaign back to OceanLotus due to shared infrastructure and code similarities between PhantomLance and previous discoveries that have been linked to the same APT group, including a 2014-2017 Android campaign and a MacOS backdoor malware program.