PhantomLance: Vietnamese Cyberspies Targeted Users of Android for Years


[email protected] – Kaspersky’s safety researchers have uncovered a long-running adware marketing campaign focusing on Android customers that bears the marks of Vietnam-linked hacking group OceanLotus.

Dubbed PhantomLance and energetic since not less than 2015, the continued marketing campaign employs a posh piece of adware designed to reap sufferer information. A number of variations of the malware have been noticed, some distributed by way of malicious functions in Google Play

The adware was initially uncovered by Physician Net in July 2019, in Google Play with capabilities reminiscent of gathering and exfiltration of data (contacts, textual content messages, name historical past gadget location, and put in functions), file obtain and execution, file add, shell command execution, and extra.

Drawn by the adware’s sophistication degree and habits, Kaspersky’s safety researchers began an investigation that exposed one other very comparable pattern on Google Play In contrast to different malware authors, nonetheless, the app’s builders didn’t try and put it up for sale in any manner, suggesting they weren’t fascinated about mass spreading, which hints at APT exercise.

The researchers found further variations of the malware, many deployed in Google Play and eliminated. They featured a number of code similarities and the identical performance: info gathering and payload execution. The latest of the samples was printed on the official Android market on November 6, 2019 (Google has already eliminated it).

A number of variants of the malware have been recognized by BlackBerry researchers too, who included info on them in a report printed in October 2019. BlackBerry refers to PhantomLance as OceanMobile.

By packing the malware with payload obtain and execution capabilities, the menace actor “was capable of keep away from overloading the appliance with pointless options and on the similar time collect the specified info,” Kaspersky explains.

PhantomLance malware was primarily distributed by way of app marketplaces, utilizing pretend developer profiles most often (with related GitHub accounts). The primary variations of the apps have been uploaded to the storefronts with out malicious code, however later updates delivered each the malicious payloads and the code to drop and execute them.

The apps don’t point out suspicious permissions within the manifest file, however they’re requested dynamically and hidden contained in the dex executable. Moreover, if root entry is accessible, the malware makes use of a mirrored image name to an undocumented API operate to get the permissions it wants.

The safety researchers noticed roughly 300 an infection makes an attempt since 2016, focusing on Android gadgets in India, Vietnam, Bangladesh and Indonesia, with Nepal, Myanmar and Malaysia additionally affected. Vietnam was hit probably the most, with some malicious functions made solely in Vietnamese.

Kaspersky recognized code similarities with an older OceanLotus marketing campaign focusing on Android customers in Vietnam and China between 2014 and 2017. Similarities with macOS backdoors and infrastructure overlaps with Home windows backdoors, together with cross-platform resemblances have been additionally recognized.

Thus, the researchers assess with medium confidence that OceanLotus is behind PhantomLance. In truth, they consider that PhantomLance is the successor of the menace actor’s earlier Android marketing campaign.

Also referred to as APT32 or APT-C-00, OceanLotus is believed to have ties to the Vietnamese authorities and to be well-resourced and decided. Primarily focusing on company and authorities organizations in Southeast Asia the adversary just lately mounted an espionage marketing campaign in opposition to Chinese language targets, to collect info associated to the present COVID-19 disaster.

“This marketing campaign is an impressive instance of how superior menace actors are shifting additional into deeper waters and changing into more durable to search out,” mentioned Alexey Firsh, safety researcher at Kaspersky’s World Analysis & Evaluation Crew (GReAT). “We will additionally see that using cellular platforms as a main an infection level is gaining popularity, with increasingly actors advancing on this space. These developments underline the significance of steady enchancment of menace intelligence and supporting providers, which might assist in monitoring menace actors and discovering overlaps between varied campaigns.”

*Up to date to say BlackBerry analysis on the assaults.

Associated: Vietnamese Hackers Mount COVID-19 Espionage Campaigns Towards China

Associated: Vietnam-Linked Hackers Use Atypical Executables to Keep away from Detection

Ionut Arghire is a world correspondent for SecurityWeek.

Earlier Columns by Ionut Arghire:

information security news feed,cyber security news sites

You May Also Like