Kaspersky Lab experts have warned of the ongoing PhantomLance malware campaign, in which malicious applications in the Google Play Store secretly spy and steal user data on Android devices.
According to experts, in the Google Play Store was discovered “a lot” of malicious applications related to PhantomLance and hiding the new trojan. In addition, similar malicious applications have been detected on the APKpure website.
Back in July last year, Dr.Web specialists detected malware on Google Play that spread under the guise of an OpenGL Plugin application. It allowed you to remotely control infected Android devices and monitor their users.
According to researchers at Kaspersky Lab, a similar sample of the trojan was found on the Google Play Store. The main goal of PhantomLance is the theft of user information, such as phone call logs, contacts, GPS data, SMS messages, as well as information about the device model and OS. A trojan can create a backdoor for transferring data to a C&C server, as well as for deploying additional malicious loads.
Experts suspect that the campaign may be behind the cybercriminal group APT32 (also known as OceanLotus). During the investigation, they discovered code fragments similar to the previous grouping campaigns and the backdoors it used for macOS, as well as parts of the infrastructure previously associated with attacks on Windows users.
“In almost all cases”, fake developer profiles were created with the corresponding accounts on GitHub, and to avoid detection, the first version of each application downloaded to the Google Play Store or APKpure did not contain malicious code.
Specialists told Google about all the malware found, and the company removed them from the store.