Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|
Advertisement

Ad Placeholder

Full Width × 90

APT

PhantomLance, a four-year-long cyberespionage spying campaign

Kaspersky Lab uncovered an ongoing cyberespionage campaign, dubbed PhantomLance, that employed malicious apps hosted on the official Google Play. Kaspersky has spotted an ongoing campaign, dubbed PhantomLance, that employed malicious spying apps hosted by Google Play. The campaign has been active for at least four, experts discovered “dozens” of malicious apps in Google Play, some of which […]

phantomlance

Kaspersky Lab uncovered an ongoing cyberespionage campaign, dubbed PhantomLance, that employed malicious apps hosted on the official Google Play.

Kaspersky has spotted an ongoing campaign, dubbed PhantomLance, that employed malicious spying apps hosted by Google Play.

The campaign has been active for at least four, experts discovered “dozens” of malicious apps in Google Play, some of which included a new Trojan. Experts also discovered malicious apps on the APK download site APKpure. 

In 2019, researchers from Dr. Web discovered a backdoor trojan in Google Play, which appeared different from other threats due to its level of sophistication for this reason Kaspersky investigated it. The malware was an info stealer and according to the researchers, it was part of a long-term campaign, tracked as “PhantomLance” that has been active at least since December 2015.

“We found dozens of related samples that had been appearing in the wild since 2016 and had been deployed in various application marketplaces including Google Play.” reads the analysis published by Kaspersky. “One of the latest samples was published on the official Android market on November 6, 2019. We informed Google of the malware, and it was removed from the market shortly after.”

The Trojan was hidden in an application on Google Play that masqueraded as an OpenGL Plugin that once executed simulates a check for new versions of OpenGL ES, but actually installs a backdoor.

Kaspersky experts found a similar sample on Google Play, it implements high levels of encryption, furthermore, the malicious code was able to download and execute additional malicious payloads that would be suitable to the specific device environment (i.e Android version, installed apps). 

The PhantomLance malware implements classic spyware functionalities, it could exfiltrate user data, phone call logs, SMS messages, contacts, and GPS data. The malicious code is also able to deploy additional malicious payloads. 

Kaspersky believes that the campaign was carried out by an Advanced Persistent Threat (APT) group, experts discovered multiple overlaps with campaigns attributed to the OceanLotus APT. Overlaps include multiple code similarities with the previous Android campaign, as well as macOS backdoors, and the infrastructure.

“While analyzing the С2 server infrastructure, we quickly identified multiple domains that shared similarities with previous ones but were not linked to any known malware samples. This allowed us to uncover more pieces of the attackers’ infrastructure.” continues the analysis.

OceanLotus APT (also known as APT32 or Cobalt Kitty) has been active since at least 2013, it is a state-sponsored hacking group that targeted organizations across multiple industries and have also targeted foreign governments, dissidents, and journalists.

Recently the Vietnam-linked cyberespionage carried out hacking campaigns against Chinese entities to collect intelligence on the COVID-19 crisis

For most of malware deployment, the threat actors built a fake developer profile by creating a Github account that contains only a fake end-user license agreement (EULA).

The researchers noticed that in order to avoid detection, the first version of the malicious app initially uploaded to Android stores (Google Play or APKpure) did not contain malicious code. Later the attackers update the applications with the code that acts as a dropper for additional payloads.

Experts observed around 300 infection attacks on Android devices in India, Vietnam, Bangladesh, Indonesia since 2016.

Kaspersky reported his findings to Google that has since removed the malicious apps from the official store.

“Based on the complete analysis of previous campaigns, with the actors’ interests in victims located in Vietnam, infrastructure overlaps between PhantomLance and OceanLotus for Windows, multiple code similarities between an old Android campaign and MacOS backdoors, we attribute the set of the Android activity (campaign 2014-2017 and PhantomLance) to OceanLotus with medium confidence.” concludes Kaspersky that also published Indicators of Compromise (IoCs) in its analysis.

phantomlance

Please give me your vote for European Cybersecurity Blogger Awards – VOTE FOR YOUR WINNERS
https://docs.google.com/forms/d/e/1FAIpQLSe8AkYMfAAwJ4JZzYRm8GfsJCDON8q83C9_wu5u10sNAt_CcA/viewform

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – PhantomLance, hacking)

[adrotate banner=”5″]

[adrotate banner=”13″]