From the last 4 years, an Android malware ‘PhantomLance’ has been stealing user information through malicious apps that were available on the Google Play Store and a popular third party APK website.
Kaspersky Researchers have found that a campaign named ‘PhantomLance’ is active since 2016 and still in use. The attackers managed to inject the malicious script in some utility apps and then publish it on the Google Play Store. This campaign is targetted to a few countries in South East Asia.
As soon as a user installs and opens an app with the malware, it checks for new OpenGL ES versions and installs a backdoor to steal user information. The sensitive information collected by the malicious script includes device information, OS, country, call logs, SMS, contacts, etc. Apart from this, the spyware in PhantomLance traces GPS data as well.
After collecting all the required data from the user’s device, all these will be sent to the operator’s command-and-control (C2) server at the attacker side. This will also deploy additional malicious payloads.
As per the research by Kaspersky, it is believed that fake developer profiles were first created with associated GitHub accounts. As it is not that easy to add an application to the Google Play Store with malware, the first version of the app uploaded to the Play Store did not contain malicious code. With the later updates, they slowly injected the codes making the app vulnerable.
It is believed that the Advanced Persistent Threat (APT) group might be behind the campaign. It is considered to be a campaign by APT32 or OceaLotus by Vietnam or the Chinese government.
After reporting the issue, Google has removed the apps from Play Store listings. But still, a lot of devices use app making it vulnerable.
The malware is targetted on devices from Vietnam, Bangladesh, India, and Indonesia. Some infections were also found in South Africa, Nepal, Algeria, Iran, Malaysia, and Myanmar.