Cyber espionage campaign exploiting Google Play Store to distribute malware uncovered
The campaign has been linked to Vietnam-state-backed threat group APT32
Researchers at Kaspersky have uncovered a new cyber espionage campaign that has been using the Google Play Store to distribute malware for the last four years.
Called "PhantomLance" by Kaspersky, this Android campaign is linked to threat group APT32 or OceanLotus, which is thought to have backed by the Vietnamese government.
While this cyber espionage campaign has targeted Android users in multiple countries including Vietnam, India, Indonesia, Malaysia, Bangladesh, Iran and Myanmar, it appear to be particularly focused on users based in Vietnam.
"[The] campaign has been active since at least 2015 and is still on-going, featuring multiple versions of a complex spyware - software created to gather victims' data - and smart distribution tactics, including distribution via dozens of applications on the Google Play official market," Kaspersky says.
Kaspersky researchers uncovered the campaign after the Doctor Web team published details of a new backdoor Trojan that they found hiding in an app, which was available on Google Play Store and disguised as an OpenGL Plugin.
Once downloaded and launched by an Android user, the app simulated a check for a newer version of OpenGL ES. However, it actually installed a backdoor to exfiltrate user information from the device.
Doctor Web revealed that the Trojan was more complex than other malware programmes that were being used by hackers to steal credentials and financial information from Android devices.
Kaspersky says that it had found many malicious apps, which ware linked to "PhantomLance" and are spreading a similar sample of the new Trojan on Google Play. Many of these malicious apps claimed to help users in locating nearby pubs or churches in Vietnam.
These apps were also available on unofficial APK download sites, such as apkcombo[.]com, apkpourandroid[.]com, apk[.]support, and apkpure[.]com.
Researchers have traced multiple variations of "PhantomLance" malware in recent months, and all of them are capable of stealing contacts, phone call logs, SMS messages, GPS data, and other sensitive information from the infected device.
Kaspersky said it reported all malicious apps found on Play Store to Google, and all those apps have since been removed from the store.
APT32 is a Vietnam-state-backed APT group that has previously targeted many foreign companies investing in Vietnam. The group has also been reported targeting research institutes, media houses, human rights groups, and various other organisations in foreign countries.
Recently, APT32 was noticed targeting Chinese state agencies in efforts to steal valuable Covid-19-related information.
The US cyber security firm FireEye said that the spear-phishing attacks from APT32 have been on-going since January 2020, with the actors trying to compromise the professional and personal email accounts of people working for the government of Wuhan and the Chinese Ministry of Emergency Management.
The lures that APT32 sent to its Chinese targets included Covid-19 themes designed to entice them to click on the links.