On Tuesday, the company's researchers said the spy campaign, named PhantomLance (so called trojan used), takes place for four years now and it continues.
According to the research team, they have been discovered "Dozens" of malicious applications linked to PhantomLance and hosting a new Trojan on Google Play, the official app store for Appliances Android. In addition, malicious applications have been found in the APK download website, APKpure.
In July 2019, its researchers Doctor Web had published a survey on a new Trojan that was hidden in a Google Play app and appeared as OpenGL Plugin.
Kaspersky says one a similar sample of this Trojan found on Google Play and uses high level encryption, while at the same time it has the ability to adjusts the malicious payload depending on the environment of the mobile device. This shows that PhantomLance is a dangerous espionage campaign.
PhantomLance malware, for which many variations have been identified, has them basic functions of a spyware spyware (removal and theft of user information, such as call logs, contacts, GPS data, SMS messages and device model and operating system information).
Trojan can create a backdoor to carries the stolen ones data on the command-and-control (C2) server of hackers, as well as develop extra malicious payloads.
Kaspersky believes that behind the PhantomLance espionage campaign is one APT team (Advanced Persistent Threat). She bases this conjecture on careful steps and her ability to cover her tracks. In "almost every case", the team says, fake profilers of developers linked to GitHub accounts. To avoid tracking, the first version of any application, uploaded to Google Play or APKpure, did not contain malicious code.
"With later updates, applications received malicious payloads and code to execute these payloads," says Kaspersky.
Researchers have identified about 300 attempts to infect devices Android, in countries such as India, Vietnam, Bangladesh and Indonesia.
Associating with a specific hacking team is not an easy task. However, the PhantomLance spy campaign may be linked to the APT team, OceanLotus, also known as APT32.
Kasperksy says (not with absolute certainty) that OceanLotus is behind payloads, because at least 20% of codebase is similar to previous cyber attacks of this group, targeting users Android.
OceanLotus has been active since 2013 and is linked to espionage campaigns targeting the governments of Vietnam and China. Recently, such an espionage campaign was launched against the Chinese Ministry of Emergency Management and the Wuhan government. The hackers they wanted to get information about the pandemic COVID-19.
Kaspersky reported all the malicious applications found Google removes them from Google Play.
"PhantomLance hackers have managed to bypass Google Play and other store filters several times, using advanced techniques to achieve their goals," said Alexey Firsh, a Kaspersky researcher.