Friday, March 29, 2024

Malicious espionage campaign targeting Android users in SE Asia

Kaspersky researchers said they have detected a sophisticated malicious campaign targeting users of Android devices, which can be attributed with medium confidence to the OceanLotus advanced persistent threat actor.

Latest example of spyware in Google Play disguised as a browser cleaner

Dubbed PhantomLance, the campaign has been active since at least 2015 and is still ongoing, featuring multiple versions of a complex spyware – software created to gather victims’ data – and smart distribution tactics, including distribution via dozens of applications on Google Play official market.

In July 2019, third-party security researchers reported a new spyware sample found on Google Play. The report attracted Kaspersky’s attention due to its unexpected features – its sophistication level and behavior was very different from the common Trojans usually uploaded to official app stores.

Kaspersky researchers were able to find another very similar sample of this malware on Google Play. Usually if malware creators manage to upload a malicious app in the legitimate app store, they invest considerable resources into promoting the application to increase the number of installations and thus increase the number of victims.

This wasn’t the case with these newly-discovered malicious apps. It looked like the operators behind them were not interested in mass spread. For researchers, this was a hint of targeted APT activity.

Additional research enabled the discovery of several versions of this malware with dozens of samples, connected by multiple code similarities.

The functionality of all the samples was similar – the main purpose of the spyware was to gather information. While the basic functionality was not very broad, and included geolocation, call logs, contact access and SMS access, the application could also gather a list of installed applications, as well as device information, such as the model and OS version.

Furthermore, the threat actor was able to download and execute various malicious payloads, and thus, adapt the payload that would be suitable to the specific device environment, such as the Android version and installed apps. This way the actor was able to avoid overloading the application with unnecessary features and at the same time gather the information needed.

Further research indicated that PhantomLance was mainly distributed on various platforms and marketplaces, including, but not limited to, Google Play and APKpure. To make applications seem legitimate, in almost every case of malware deployment the threat actors tried to build a fake developer profile by creating an associated Github account.

In order to evade filtering mechanisms employed by marketplaces, the first versions of the application uploaded by the threat actor to marketplaces did not contain any malicious payloads. However, with later updates, applications received both malicious payloads and a code to drop and execute these payloads.

According to Kaspersky Security Network, since 2016, around 300 infection attempts were observed on Android devices in such countries as India, Vietnam, Bangladesh, and Indonesia. While detection statistics included collateral infections, Vietnam stood out as one of the top countries by number of attempted attacks; some malicious applications used in the campaign were also made exclusively in Vietnamese.

Using Kaspersky’s malware attribution engine – an internal tool to find similarities between different pieces of malicious code – the researchers were able to determine that PhantomLance payloads were at least 20% similar to the ones from one of the older Android campaign associated with OceanLotus, an actor that has been in operation since at least 2013 and whose targets are mostly located in SouthEast Asia.

Moreover, several important overlaps were found with previously reported activities of OceanLotus on Windows and MacOS. Thus, Kaspersky researchers believe the PhantomLance campaign can be tied to OceanLotus with medium confidence.

Kaspersky reported all discovered samples to the owners of legitimate app stores. Google Play has confirmed that they have taken down the applications.

“This campaign is an outstanding example of how advanced threat actors are moving further into deeper waters and becoming harder to find. PhantomLance has been going on for over five years and the threat actors managed to bypass the app stores’ filters several times, using advanced techniques to achieve their goals,” commented Alexey Firsh, security researcher at Kaspersky’s GReAT.

“We can also see that the use of mobile platforms as a primary infection point is becoming more popular, with more and more actors advancing in this area. These developments underline the importance of continuous improvement of threat intelligence and supporting services, which could help in tracking threat actors and finding overlaps between various campaigns,” he said.

Subscribe

- Advertisement -spot_img

RELEVANT STORIES

spot_img

LATEST

- Advertisement -spot_img