Kaspersky researchers detected a sophisticated malicious campaign targeting users of Android devices, which can be attributed with medium confidence to the OceanLotus advanced persistent threat actor, the company said.
Dubbed PhantomLance, the campaign has been active since at least 2015 and is still ongoing, featuring multiple versions of a complex spyware — software created to gather victims´ data — and smart distribution tactics, including distribution via dozens of applications on the Google Play official market.
In July 2019, third-party security researchers reported a new spyware sample found on Google Play. The report attracted Kaspersky´s attention due to its unexpected features — its sophistication level and behavior was very different from the common Trojans usually uploaded to official app stores.
Kaspersky researchers were able to find another very similar sample of this malware on Google Play. Usually, if malware creators manage to upload a malicious app in the legitimate app store, they invest considerable resources into promoting the application to increase the number of installations and thus increase the number of victims. This wasn´t the case with these newly discovered malicious apps. It looked like the operators behind them were not interested in mass spread. For the researchers, this was a hint of targeted APT activity. Additional research enabled the discovery of several versions of this malware with dozens of samples, connected by multiple code similarities.
Kaspersky reported all discovered samples to the owners of the legitimate app stores. Google Play has confirmed that they have taken down the applications.
Kaspersky is a global cybersecurity company founded in 1997. Kaspersky´s deep threat intelligence and security expertise is constantly transforming into innovative security solutions and services to protect businesses, critical infrastructure, governments and consumers around the globe. Learn more at usa.kaspersky.com.