Android fans are being warned about a group of hackers who have been trying to smuggle spyware inside apps shared via the Google Play Store for years. Security experts from Kaspersky Lab uncovered the Android malware campaign which has been taking place since December 2015. Researchers discovered dozens of apps filled with malware that have been released since 2016 on Android app marketplaces such as the Google Play Store.
Other third-party Android app stores that have been affected are APKpure and APKCombo. In a post on Securelist, Kaspersky outlined the malware campaign which they have dubbed ‘PhantomLance’.
The research said the Android malware campaign overlaps with previous campaigns that targeted Windows and macOS, which were attributed to threat actor group OceanLotus.
Outlining the malware campaign Kaspersky said: “[The] campaign has been active since at least 2015 and is still ongoing, featuring multiple versions of a complex spyware – software created to gather victims’ data – and smart distribution tactics, including distribution via dozens of applications on the Google Play official market”.
- Google just deleted these dangerous Android apps, now you must follow
Kaspersky investigated the malware campaign after last July Dr Web discovered a backdoor trojan on the Google Play Store. This allowed cybercriminals to remotely control infected Android devices and spy on users, with this threat later being attributed to OceanLotus.
And in their findings Kaspersky found multiple code similarities between the previous Android campaign and the latest one.
The Kaspersky report said: “The threat actor was able to download and execute various malicious payloads, and thus adapt the payload that would be suitable to the specific device environment, such as the Android version and installed apps. This way, the actor was able to avoid overloading the application with unnecessary features and at the same time gather the desired information”.
Kaspersky listed a number of the Android apps which contained PhantomLance malware. Here are the names of the packages…
These were removed from the Google Play Store in November 2019 after Kaspersky reported their findings to the search engine giant. However, Kaspersky said that this is not the case with unofficial app marketplaces where the compromised software is still listed.
Kaspersky said to avoid being detected threat actors would upload clean versions of an app without any malicious payloads. But updates that later were released for the apps contained the nefarious code.
Kaspersky said: “These versions were accepted because they contained nothing suspicious, but follow-up versions were updated with both malicious payloads and code to drop and execute these payloads”.
While speaking to Bleeping Computer Alexey Firsh, security researcher at Kaspersky, said: “PhantomLance has been going on for over five years and the threat actors managed to bypass the app stores’ filters several times, using advanced techniques to achieve their goals.
“We can also see that the use of mobile platforms as a primary infection point is becoming more popular, with more and more actors advancing in this area.”
Source: Read Full Article