Thursday, October 1, 11:04
Home security Google Play: It hosted apps used in a spy campaign

Google Play: It hosted apps used in a spy campaign

espionage campaign

Η Kaspersky warned for one espionage campaign which include maliciously apps hosted on Google Play. The applications they are spying and stealing data users Android.

On Tuesday, the company's researchers said the spy campaign, named PhantomLance (so called trojan used), takes place for four years now and it continues.

According to the research team, they have been discovered "Dozens" of malicious applications linked to PhantomLance and hosting a new Trojan on Google Play, the official app store for Appliances Android. In addition, malicious applications have been found in the APK download website, APKpure.

In July 2019, its researchers Doctor Web had published a survey on a new Trojan that was hidden in a Google Play app and appeared as OpenGL Plugin.

In fact, the malicious application installs one backdoor and starts stealing his information user.

Kaspersky says one a similar sample of this Trojan found on Google Play and uses high level encryption, while at the same time it has the ability to adjusts the malicious payload depending on the environment of the mobile device. This shows that PhantomLance is a dangerous espionage campaign.

Google Play

PhantomLance malware, for which many variations have been identified, has them basic functions of a spyware spyware (removal and theft of user information, such as call logs, contacts, GPS data, SMS messages and device model and operating system information).

Trojan can create a backdoor to carries the stolen ones data on the command-and-control (C2) server of hackers, as well as develop extra malicious payloads.

Kaspersky believes that behind the PhantomLance espionage campaign is one APT team (Advanced Persistent Threat). She bases this conjecture on careful steps and her ability to cover her tracks. In "almost every case", the team says, fake profilers of developers linked to GitHub accounts. To avoid tracking, the first version of any application, uploaded to Google Play or APKpure, did not contain malicious code.

"With later updates, applications received malicious payloads and code to execute these payloads," says Kaspersky.

Researchers have identified about 300 attempts to infect devices Android, in countries such as India, Vietnam, Bangladesh and Indonesia.

Associating with a specific hacking team is not an easy task. However, the PhantomLance spy campaign may be linked to the APT team, OceanLotus, also known as APT32.

Kasperksy says (not with absolute certainty) that OceanLotus is behind payloads, because at least 20% of codebase is similar to previous cyber attacks of this group, targeting users Android.

OceanLotus has been active since 2013 and is linked to espionage campaigns targeting the governments of Vietnam and China. Recently, such an espionage campaign was launched against the Chinese Ministry of Emergency Management and the Wuhan government. The hackers they wanted to get information about the pandemic COVID-19.

Kaspersky reported all the malicious applications found Google removes them from Google Play.

"PhantomLance hackers have managed to bypass Google Play and other store filters several times, using advanced techniques to achieve their goals," said Alexey Firsh, a Kaspersky researcher.


Please enter your comment!
Please enter your name here

Digital Fortress
Digital Fortress
Pursue Your Dreams & Live!


GitHub Code Scanning: New security feature for all users

GitHub, one of the most popular platforms among software developers, is releasing a new ...

Caution! Linkury adware distributes malware

According to a speech by researchers at the VirusBulletin 2020 conference, an adware called Linkury distributes malware and infects devices ...

How to add Sticky Notes to your iPhone home screen

Remember the days when you added sticky notes to your Windows desktop? Well, from now on you can add sticky ...

Vodafone Network Error: Connection Problems Detected!

Vodafone Network Error: Connection Problems Detected! Vodafone has been having problems with internet and telephone connection (internet-telephone) for some time now. According to users ...

As long as the technologies reach their EOL, the hackers are waiting

A recent outbreak of cyber attacks against web commerce sites using Magento 1 underscores the importance of having a strategy ...

Mac: How to export high quality icons from System Preferences

Sometimes, you need a high quality icon from Mac System Preferences for a project, but you can not find any ...

COVID-19 test: Approval in Europe for results in 15 minutes!

A test to detect the Covid-19 virus that gives results in 15 minutes has received the green light for disposal in ...

Gmail: How to add a signature to your emails

Google Gmail supports customizable signatures, which it attaches to every email you send. You can add your name, ...

A spy campaign targets the Indian army!

Security investigators have uncovered evidence of an ongoing espionage campaign targeting India's military (defense and armed forces), ...

Baidu: Malicious pop-up redirects traffic

Malicious pop-ups redirect the traffic of the website of the technology company Baidu, to the intruder's domain. The malicious ...