Kaspersky issued a warning of an ongoing spy campaign which uses malicious applications in the Google Play Store to steal people’s data.
Last Tuesday, internet security experts from Kaspersky said a campaign, now being called the PhantomLance, has been active in the Google Play Store for the past four years and is still ongoing.
According to their study, hundreds of malicious applications affiliated with PhantomLance which are hiding a new Trojan virus have been found in the Google Play Store – the official Android mobile app warehouse of the tech giant.
Furthermore, the malicious applications have also been present on APKpure – an website where people can download APKs for Android.
Focused on stealing
The spyware is rather restricted on its focused functionality. Researchers found out that it can track a user’s geolocation information, contacts, call history and can even oversee SMS activities.
On the other hand, its malware can collect lists of installed apps and device information including the phone model and the version of the operating system.
Various versions of the malware have been discovered inside different applications in the Google Play Store since it was flagged last year in July. The researchers told that all of the malware collected were connected by a similar code.
The spying campaign affected more than 300 devices across Asia including India, Vietnam, Indonesia, Iran and Malaysia. Researchers believe that the campaign is related to a famous hacking team called OceanLotus or APT32, which was known to be linked to the Vietnamese Government.
Kaspersky details how suspected Vietnamese state-sponsored hackers smuggled their spyware repeatedly into Google Play for a targeted espionage campaign, which they're calling PhantomLance. https://t.co/RcwDBCSYAo
— Andy Greenberg (@a_greenberg) April 28, 2020
Connection with OceanLotus
OceanLotus is a Vietnam-related APT that has started its operations last 2013 and is also known as APT32. From January to April, the group has been detected of attacking the government of Wuhan in hopes of stealing information about China’s COVID-19 response.
— Alexey Firsh (@alexey_firsh) April 28, 2020
For over four secretive years of the PhantomLance campaign, the malware operators created various copies of the malware just to bypass Google Play Store’s security filters.
The hackers use fake profiles and fake license agreements to acquire the approval that the applications have no malicious intent. However, they would later release an update which converts the applications into hacking tools.
One version of this malware has the ability to grant permissions even without a user’s interaction.
The Kaspersky team has already informed the owners of the concerned applications and Google Play Store has already removed the applications. However, according to the researchers, the espionage campaign is still ongoing.
Featured image courtesy of ThisIsEngineering/Pexels