Kaspersky researchers detected a sophisticated malicious campaign targeting users of Android devices, which can be attributed with medium confidence to the OceanLotus advanced persistent threat actor. Dubbed PhantomLance, the campaign has been active since at least 2015 and is still ongoing, featuring multiple versions of a complex spyware – software created to gather victims’ data – and smart distribution tactics, including distribution via dozens of applications on Google Play official market.
In July 2019, third party security researchers reported a new spyware sample found on Google Play. The report attracted Kaspersky’s attention due to its unexpected features – its sophistication level and behavior was very different from the common Trojans usually uploaded to official app stores. Kaspersky researchers were able to find another very similar sample of this malware on Google Play. Usually if malware creators manage to upload a malicious app in the legitimate app store, they invest considerable resources into promoting the application to increase the number of installations and thus increase the number of victims. This wasn’t the case with these newly-discovered malicious apps. It looked like the operators behind them were not interested in mass spread. For researchers, this was a hint of targeted APT activity. Additional research enabled the discovery of several versions of this malware with dozens of samples, connected by multiple code similarities.
The functionality of all the samples was similar – the main purpose of the spyware was to gather information. While the basic functionality was not very broad, and included geolocation, call logs, contact access and SMS access, the application could also gather a list of installed applications, as well as device information, such as the model and OS version. Furthermore, the threat actor was able to download and execute various malicious payloads, and thus, adapt the payload that would be suitable to the specific device environment, such as the Android version and installed apps. This way the actor was able to avoid overloading the application with unnecessary features and at the same time gather the information needed.
Further research indicated that PhantomLance was mainly distributed on various platforms and marketplaces, including, but not limited to, Google Play and APKpure. To make applications seem legitimate, in almost every case of malware deployment the threat actors tried to build a fake developer profile by creating an associated Github account. In order to evade filtering mechanisms employed by marketplaces, the first versions of the application uploaded by the threat actor to marketplaces did not contain any malicious payloads. However, with later updates, applications received both malicious payloads and a code to drop and execute these payloads.
According to Kaspersky Security Network, since 2016, around 300 infection attempts were observed on Android devices in such countries as India, Vietnam, Bangladesh and Indonesia. While detection statistics included collateral infections, Vietnam stood out as one of the top countries by number of attempted attacks; some malicious applications used in the campaign were also made exclusively in Vietnamese.
Using Kaspersky’s malware attribution engine – an internal tool to find similarities between different pieces of malicious code – the researchers were able to determine that PhantomLance payloads were at least 20% similar to the ones from one of the older Android campaign associated with OceanLotus, an actor that has been in operation since at least 2013 and whose targets are mostly located in South East Asia. Moreover, several important overlaps were found with previously reported activities of OceanLotus on Windows and MacOS. Thus, Kaspersky researchers believe the PhantomLance campaign can be tied to OceanLotus with medium confidence.
Kaspersky reported all discovered samples to the owners of legitimate app stores. Google Play has confirmed that they have taken down the applications.
“This campaign is an outstanding example of how advanced threat actors are moving further into deeper waters and becoming harder to find. PhantomLance has been going on for over five years and the threat actors managed to bypass the app stores’ filters several times, using advanced techniques to achieve their goals. We can also see that the use of mobile platforms as a primary infection point is becoming more popular, with more and more actors advancing in this area. These developments underline the importance of continuous improvement of threat intelligence and supporting services, which could help in tracking threat actors and finding overlaps between various campaigns,” comments Alexey Firsh, security researcher at Kaspersky’s GReAT.
The full report of the PhantomLance campaign is available on Securelist.
To avoid falling victim to targeted attacks on organizations or persons, Kaspersky recommends the following:
- Use a reliable security solution, such as Kaspersky Security Cloud, for comprehensive protection from a wide range of threats. The solution incorporates Kaspersky Secure Connection that prevents your online activity from being tracked, hides your IP address and location, and transfers your data over a secure VPN tunnel.
- Ensure your endpoint security solution is empowered with protection for mobile devices, such as Kaspersky Security for Mobile. It should enable application control to ensure that only legitimate apps can be installed on a corporate device, as well as rooting protection that permits blocking rooted devices or removing corporate data stored on them.
- Provide your Security Operations Center (SOC) team with access to the latest threat intelligence, and stay up-to-date with new and emerging tools, techniques and tactics used by threat actors and cybercriminals.
- For endpoint level detection, investigation and timely remediation of incidents, implement EDR solutions, such as Kaspersky Endpoint Detection and Response.
- In addition to adopting essential endpoint protection, implement a corporate-grade security solution that detects advanced threats at the network level at an early stage, such as Kaspersky Anti Targeted Attack Platform.