Sophisticated Android Spyware Attack Spreads via Google Play

The PhantomLance espionage campaign is targeting specific victims, mainly in Southeast Asia — and could be the work of the OceanLotus APT.

A sophisticated, ongoing espionage campaign aimed at Android users in Asia is likely the work of the OceanLotus advanced persistent threat (APT) actor, researchers said this week.

Dubbed PhantomLance by Kaspersky, the campaign is centered around a complex spyware that’s distributed via dozens of apps within the Google Play official market, as well as other outlets like the third-party marketplace known as APKpure.

The effort, though first spotted last year, stretches back to at least 2016, according to findings released at the SAS@home virtual security conference on Tuesday.

A Sophisticated Campaign

The spyware is fairly narrow in its focus when it comes to functionality, researchers said. It can gather geolocation data, call logs and contacts, and can monitor SMS activity; the malware can also gather a list of installed applications, as well as device information, such as the model and OS version.

Multiple versions of the malware have been found in various applications since being flagged back in July 2019, albeit all with the same basic tool set. All of the samples uncovered, researchers said, are connected by multiple code similarities. Once a rogue application is installed on a device, it vets the victim’s device environment, such as which Android version the person is using and the apps that are installed on the device – and then, the payload is adapted accordingly.

An example of a rogue Google Play app harboring the spyware.

“This way, the actor was able to avoid overloading the application with unnecessary features and at the same time gather the desired information,” according to Kaspersky.

In the latest Google Play sample observed by Kaspersky, there is a clear payload; other versions use an interim step that drops an additional executable file.

“Our main theory about the reasons for all these versioning maneuvers is that the attackers are trying to use diverse techniques to achieve their key goal, to bypass the official Google marketplace filters,” the firm explained. “And achieve it they did, as even this version passed Google’s filters and was uploaded to Google Play Store in 2019.”

The latest version also hides its suspicious permission requests; they are requested dynamically and hidden inside the dex executable.

“This seems to be a further attempt at circumventing security filtering,” according to Kaspersky. “In addition to that, there is a feature that we have not seen before: if the root privileges are accessible on the device, the malware can use a reflection call to the undocumented API function ‘setUidMode’ to get permissions it needs without user involvement.”

“In order to evade filtering mechanisms employed by marketplaces, the first versions of the application uploaded by the threat actor to marketplaces did not contain any malicious payloads,” Kaspersky researchers explained in the analysis. “However, with later updates, applications received both malicious payloads and a code to drop and execute these payloads.”

Kaspersky’s report follows previous research from BlackBerry, which connected OceanLotus to a trio of fake apps for Android last year. One of those apps supposedly provided support for high-resolution graphics on the phone (e.g. for use in games), while another purported to block ads on a phone, and a third presented itself as a browser and cache cleaner. The apps were distributed through phishing, but also to a wider set of targets via third-party app stores as well as the official Google Play Store.

BlackBerry researchers also dug into how the apps made it into the Google Play Store itself – “finding that OceanLotus went to the trouble establishing an entire fake backstory to give its malicious apps an air of legitimacy,” a spokesperson told Threatpost.

In behavior also seen by Kaspersky, the threat actor created a fake developer profile on an associated GitHub account for each app.

“They created modified GitHub repositories that theoretically showed evidence of the developers’ code for each app, complete with public facing ‘contact us’ email addresses to answer any questions that might arise about their ‘products,'” according to the BlackBerry research. “They even went to lengths to concoct entire privacy policies for their apps, which few people tend to actually read, but nevertheless was ironic, given that OceanLotus’ entire premise was to spy on its targets.”

A Targeted Attack

Interestingly, researchers observed that the malware’s operators don’t seem interested in widescale infection. In fact, according to the firm’s telemetry, since 2016, only around 300 infection attempts were observed on Android devices — mainly in India, Vietnam, Bangladesh and Indonesia. Other infections, however, were found in Algeria, Iran and South Africa. And, several infections were found in Nepal, Myanmar and Malaysia.

“Usually if malware creators manage to upload a malicious app in the legitimate app store, they invest considerable resources into promoting the application to increase the number of installations and thus increase the number of victims,” explained the researchers in the writeup. “This wasn’t the case with these newly discovered malicious apps. It looked like the operators behind them were not interested in mass spread. For the researchers, this was a hint of targeted APT activity.”

The types of applications that the malware mimics include Flash plugins, cleaners and updaters.

An example of a Vietnam-focused PhantomLance app.

Vietnam in particular saw a large number of attempted attacks; and, some malicious applications used in the campaign were also made exclusively in Vietnamese. These include “Tim quan nhau | Tìm quán nhậu” (“Find each other | Find pubs” in Vietnamese); and “Địa Điểm Nhà Thờ” (“Church Place”).

The OceanLotus Connection

Kaspersky researchers determined in their research that the PhantomLance payloads were at least 20 percent similar to those used in an older Android campaign associated with OceanLotus. Also, there were several other overlaps with OceanLotus activity that has been seen targeting Windows and MacOS users. The firm is assessing with “medium confidence” that PhantomLance could be the work of the cyber-espionage group.

Links to prior OceanLotus activity.

OceanLotus is a Vietnam-linked APT that has been in operation since at least 2013, also known as APT32. Its targets are mostly located in Southeast Asia. Recently, from at least January to April, the FireEye Mandiant researchers have seen the group attacking China’s Ministry of Emergency Management, as well as the government of Wuhan province, in an apparent bid to steal intelligence regarding the country’s COVID-19 response.

Kaspersky reported all discovered PhantomLance samples to the owners of legitimate app stores in which they were found, and Google Play has removed the known apps, but the campaign is ongoing, according to the firm.

“This campaign is an outstanding example of how advanced threat actors are moving further into deeper waters and becoming harder to find,” said Alexey Firsh, security researcher at Kaspersky’s GReAT division, who delivered a session at the SAS@home virtual summit on the campaign. “PhantomLance has been going on for over five years and the threat actors managed to bypass the app stores’ filters several times, using advanced techniques to achieve their goals. We can also see that the use of mobile platforms as a primary infection point is becoming more popular, with more and more actors advancing in this area.”

Inbox security is your best defense against today’s fastest growing security threat – phishing and Business Email Compromise attacks. On May 13 at 2 p.m. ET, join Valimail security experts and Threatpost for a FREE webinar, 5 Proven Strategies to Prevent Email Compromise. Get exclusive insights and advanced takeaways on how to lockdown your inbox to fend off the latest phishing and BEC assaults. Please register here for this sponsored webinar.

Also, don’t miss our latest on-demand webinar from DivvyCloud and Threatpost, A Practical Guide to Securing the Cloud in the Face of Crisis, with critical, advanced takeaways on how to avoid cloud disruption and chaos.

Suggested articles