Research firm Kaspersky has discovered a new spy campaign that has been stealing data off of hundreds of users for the last five years. Dubbed as PhantomLance, this campaign has been active since 2015, and may have been started by hacker group OceanLotus. This campaign includes multiple versions of a complex spyware to target users in India, Vietnam, Bangladesh, and Indonesia. The main purpose of this spyware was to gather information, and Kaspersky observed 300 infection attempts since 2016. The campaign includes a set of malicious apps that were not interested in mass installation, and their main aim was to spy on select users. This hints at how hackers are resorting to more sophisticated ways to become harder to find.
All the malicious spyware samples found by Kaspersky was reported to Google, and the tech giant has already delisted these apps from the Play Store. These apps posed to provide basic functionalities, but gathered information like list of installed applications, device information such as the model and OS version from the targeted device. ‘Furthermore, the malicious app was able to download and execute various malicious payloads, and thus adapt the payload that would be suitable to the specific device environment, such as the Android version and installed apps. This way, the actor was able to avoid overloading the application with unnecessary features and at the same time gather the desired information’, Kaspersky notes.
PhantomLance was distributed on various platforms like Google Play and APKpure to make it seem more legitimate. The hacker group even created a fake developer account on GitHub for extra credibility. These apps managed to evade filtering mechanisms employed by Google and other app stores, by uploading first versions of the application without any malicious payloads. The apps received malicious payloads and a code to drop and execute these payloads via later updates. In Kaspersky’s findings, Vietnam stood out as one of the top countries by number of attempted attacks. Some malicious apps used in the campaign were also made exclusively in Vietnamese.
Based on similarities in malicious code in past Android campaigns, Kaspersky researchers claim that the PhantomLance campaign was started by OceanLotus. While the apps have been taken down by Google from the Play Store, there is no guarantee that such apps would not crop up in the future. The research firm recommends investing in a viable security solution that protects the device from a wide range of threats. It is also recommended to install apps from Google Play Store with a lot of caution and evaluation. Check for reviews and ensure that apps from popular and credible developers are only downloaded on the phone.