Five-Year PhantomLance Campaign Targeting Android Users

Written by

An ongoing, multi-year cyber-espionage campaign targeted individuals in south-east Asia hundreds of times with malware that bypassed Google Play filters, according to Kaspersky.

Active since at least 2015, the PhantomLance campaign is thought to be the work of OceanLotus (aka APT32), a likely Vietnamese state-backed APT group that recently targeted the Wuhan provincial government and Chinese Ministry of Emergency Management to try and find more info on the origins of COVID-19.

First disclosed by Blackberry last October, PhantomLance features multiple versions of spyware varying in sophistication, which were designed to steal info such as geolocation, call logs, contact access, application lists and SMS access, as well as download additional malicious payloads.

They were distributed on multiple platforms including Google Play and APKpure, with the group’s actors going to great lengths to stay under the radar. This included creation of fake developer profiles on GitHub, as well as other tactics.

“The initial versions of applications uploaded to app marketplaces did not contain any malicious payloads or code for dropping a payload,” explained Kaspersky.

“These versions were accepted because they contained nothing suspicious, but follow-up versions were updated with both malicious payloads and code to drop and execute these payloads. We were able to confirm this behavior in all of the samples, and we were able to find two versions of the applications, with and without a payload.”

The security firm has spotted about 300 infection attempts on Android devices in India, Vietnam, Bangladesh and Indonesia, with Vietnam one of the top targeted countries as well as a location for malicious app development.

According to Kaspersky, PhantomLance payloads were at least 20% similar to the ones from an OceanLotus Android campaign and there were also overlaps with the APT group’s Windows and MacOS malware.

“This campaign is an outstanding example of how advanced threat actors are moving further into deeper waters and becoming harder to find. PhantomLance has been going on for over five years and the threat actors managed to bypass the app stores’ filters several times, using advanced techniques to achieve their goals,” argued Kaspersky security researcher Alexey Firsh.

“We can also see that the use of mobile platforms as a primary infection point is becoming more popular, with more and more actors advancing in this area. These developments underline the importance of continuous improvement of threat intelligence and supporting services, which could help in tracking threat actors and finding overlaps between various campaigns.”

What’s hot on Infosecurity Magazine?