Tech - News
PhantomLance Malware Campaign has been taken over by Android Play Store
Security researchers at Kaspersky Lab have discovered threat actors that have been using the Google Play Store for years to spread advanced android malware to steal a wide range of sensitive data from users.
Security researchers from Kaspersky Lab have found threat actors that have been using the Google Play Store for years to spread sophisticated android malware to steal a wide variety of confidential data from users. According to researchers, a malicious campaign called "PhantomLance" targeted Android devices with malware and spyware payloads embedded in applications distributed through multiple platforms including the Google Play Store and other Android app stores such as APKpure and APKCombo.
"The campaign has been active since at least 2015 and is still continuing, featuring several iterations of sophisticated spyware – victim data-gathering tools – and smart distribution strategies, including distribution through hundreds of Google Play official market applications," Kaspersky said.
Evading Google Safety Tests
Researchers have found that campaign attackers have used advanced techniques to continuously circumvent the testing mechanism that Google uses to detect malicious software. Hackers first apply a neutral version of the app and add the workaround after the software has been approved by Google.
Kaspersky has reported more than 300 attacks on android users in India, Vietnam, Bangladesh and Indonesia since 2016. Many threat detections have also been found in Nepal, Myanmar and Malaysia. Below is a cartographic representation of countries with the highest attempted attacks.
Apart from the android applications containing PhantomLance malware, Kaspersky also published a list of apps that were released and subsequently removed from the Play Store by Google in November 2019.
"During our thorough investigation, we saw some of the techniques often used by the threat actors to spread their malware. Initial versions of applications submitted to the app marketplaces did not contain any malicious payloads or payload code. These versions were approved because they contained nothing unusual, but the follow-up versions were patched with both malicious payloads and the code to drop and run these payloads. We were able to validate this behavior in all the tests, and we were able to find two versions of the programs, with and without a payload, "Kaspersky added.