Google Play Store Apps Infected by PhantomLance Backdoor Had Been Stealing Data Since 2016
A group of hackers has been using Google Play Store to distribute malware which has been used to steal private data since the end of 2016.
Kaspersky Labs has shared a detailed report on PhantomLance Trojan backdoor, which is being called a sophisticated form of malware, which is not only harder to detect but also to investigate. Kaspersky shares that the malware can basically get access to all information on an infected smartphone:
The main objective of PhantomLance is to harvest confidential information from the victim’s device. The malware is able to supply its handlers with location data, call logs, text messages, lists of installed apps, and full information about the infected smartphone. What’s more, its functionality can be expanded at any moment simply by loading additional modules from the C&C server.
During investigation, the malware was found in popular apps and utilities that allow users to change fonts, remove advertisements and perform system cleanups. The developers behind these apps were able to bypass any security checks in Google Play Store by starting with non-malicious versions of their apps. Once the apps were published, they were able to add malicious features later onwards through updates, which went unchecked by Google Play Store. The developers were also able to create unique profiles on GitHub to act as credible development sources.
The primary targets for PhantomLance have reportedly been users in Vietnam, however, the infected apps had been downloaded in other parts of the world too. The trojan has been linked to a group called OceanLotus, which has a history of similar malware attacks on desktop operating systems. These groups are often backed by high level officials and even governments.
Even though Google has removed these apps from Play Store, they are still available online on various APK download websites, and other third-party stores.
It seems that even if you only install apps from Google Play Store, you are still unsafe unless you check the authenticity of the developers. A quick Google search can reveal a lot of credible information about developers, and if something seems dubious from the search results, avoid such apps. The open nature of Android can also work against it as anyone can simply sign up to Play Store and publish a malicious app.
This continues to be alarming for the world's most popular operating system, whether desktop or mobile. Android is used on 2.5 billion devices around the globe, and Google has repeatedly failed to provide adequate privacy and security safeguards to users for apps that are distributed through its official marketplace.
If you are interested in the technical background of how the malware works and the investigation that went on behind the scenes by Kaspersky Labs, read their detailed report here.