App stores are lagging way behind the scheming minds of advanced persistent threat actors.

In July 2019, third party security researchers reported a new spyware sample found on Google Play. Its sophistication level and behavior was very different from the common Trojans usually uploaded to official app stores.

Researchers from Kaspersky were piqued, and unable to find another very similar sample of this malware on Google Play, they probed on. They subsequently detected a sophisticated malicious campaign targeting users of Android devices, that can be attributed with medium confidence to the OceanLotus advanced persistent threat (APT) actor.

The campaign, dubbed PhantomLance, seems to have been active since at least 2015 and it is still ongoing, featuring multiple versions of a complex spyware. It gather victims’ data and has smart distribution tactics, including distribution via dozens of applications on the official Google Play market.

Some things did not add up

Usually if malware creators manage to upload a malicious app in the legitimate app store, they would invest considerable resources into promoting the application to increase the number of installations and thus increase the number of victims.

In the case of PhantomLance apps, this was not the case. It looked like the operators behind them were not interested in mass spread. For researchers, this was a hint of targeted APT activity. Additional research enabled the discovery of several versions of this malware with dozens of samples, connected by multiple code similarities.

The functionality of all the samples was similar: the main purpose of the spyware was to gather information. The basic functionality was not very broad, and included geolocation, call logs, contact access and SMS access. However, the application could also gather a list of installed applications, as well as device information, such as the model and OS version.

Furthermore, the threat actor was able to download and execute various malicious payloads, and thus adapt the payload that would be suitable to the specific device environment, such as the Android version and installed apps. This way, the actor was able to avoid overloading the application with unnecessary features and at the same time gather the information needed.

Further research indicated that PhantomLance was mainly distributed on various platforms and marketplaces, including, but not limited to, Google Play and APKpure. To make applications seem legitimate, in almost every case of malware deployment the threat actors tried to build a fake developer profile by creating an associated Github account.

In order to evade filtering mechanisms employed by marketplaces, the first versions of the application uploaded by the threat actor to marketplaces did not contain any malicious payloads. However, with later updates, applications received both malicious payloads and a code to drop and execute these payloads.

Ties to OceanLotus

According to Kaspersky Security Network, since 2016, around 300 infection attempts have been observed on Android devices in such countries as India, Vietnam, Bangladesh and Indonesia. While detection statistics included collateral infections, Vietnam stood out as one of the top countries by number of attempted attacks; some malicious applications used in the campaign were also made exclusively in Vietnamese.

Using an internal tool to find similarities between different pieces of malicious code, Kaspersky’s researchers were able to determine that PhantomLance payloads were at least 20% similar to those of an older Android campaign associated with OceanLotus, an actor that has been in operation since at least 2013. The latter’s targets are mostly located in South East Asia. Moreover, several important overlaps were found with previously reported activities of OceanLotus on Windows and MacOS. Thus, researchers believe the PhantomLance campaign can be tied to OceanLotus with medium confidence.

Kaspersky has reported all discovered samples to the owners of legitimate app stores. Google Play has confirmed that they have taken down the applications.

Commented Alexey Firsh, security researcher at Kaspersky: “This campaign is an outstanding example of how advanced threat actors are moving further into deeper waters and becoming harder to find. PhantomLance has been going on for over five years and the threat actors managed to bypass the app stores’ filters several times, using advanced techniques to achieve their goals.”

Firsh said the use of mobile platforms as a primary infection point is becoming more popular, with more and more actors advancing in this area. “These developments underline the importance of continuous improvement of threat intelligence and supporting services, which could help in tracking threat actors and finding overlaps between various campaigns.”