The PhantomLance espionage campaign targets Android users in certain countries in Southeast Asia using spyware spread through Google Play. Cybersecurity solutions firm Kaspersky looked into the third-party report and found unique Trojans exhibiting a high level of sophistication lurking on app stores.

In Kaspersky’s “Security Analyst Summit 2020” which was held remotely, researchers said the spy campaign targets Android users in Bangladesh, India, Indonesia, and Vietnam and they believe the campaign is tied to OceanLotus, an actor that has been in operation since at least 2013.

The researchers saw at least 20% similarity to payloads of older Android campaigns also linked to OceanLotus or APT32, which convinced the researchers of the association “with medium confidence.”

Kaspersky delivers tool for protecting remote workforces, highlighting shadow IT

Kaspersky receives security standard certification from TÜV Austria

“This campaign is an outstanding example of how advanced threat actors are moving further into deeper waters and becoming harder to find,” said Alexey Firsh, security researcher at Kaspersky’s GReAT. “PhantomLance has been going on for over five years and the threat actors managed to bypass the app stores’ filters several times, using advanced techniques to achieve their goals.”

Mobile platforms

Kaspersky also saw the increasing popularity of mobile platforms as a primary infection point.

The unique behavior of the malware strongly contradicts the usual technique of mass spreading the malware to infect as many devices as possible. Kaspersky said that on this campaign, it seemed that hackers choose a small number, yet very much targeted, infection.

Kaspersky said PhantomLance was distributed in various platforms and marketplaces, including, but not limited to, Google Play and APKpure. To deceive users, hackers create fake developer profiles and link them to Github. The threat actors pass on malicious payloads on the first generation versions of applications. It is during updates that threat actors drop and execute codes then continue to data-stealing spree.

According to Kaspersky Security Network, since 2016, around 300 infection attempts were observed on Android devices. While detection statistics included collateral infections, Vietnam stood out as one of the top countries by a number of attempted attacks; some malicious applications used in the campaign were also made exclusively in Vietnamese.