Connect with us

Hi, what are you looking for?



PhantomLance: Vietnamese Cyberspies Targeted Android Users for Years

[email protected] – Kaspersky’s security researchers have uncovered a long-running spyware campaign targeting Android users that bears the marks of Vietnam-linked hacking group OceanLotus.

[email protected] – Kaspersky’s security researchers have uncovered a long-running spyware campaign targeting Android users that bears the marks of Vietnam-linked hacking group OceanLotus.

Dubbed PhantomLance and active since at least 2015, the ongoing campaign employs a complex piece of spyware designed to harvest victim data. Multiple versions of the malware have been observed, some distributed via malicious applications in Google Play.

The spyware was initially uncovered by Doctor Web in July 2019, in Google Play, with capabilities such as gathering and exfiltration of information (contacts, text messages, call history, device location, and installed applications), file download and execution, file upload, shell command execution, and more.

Drawn by the spyware’s sophistication level and behavior, Kaspersky’s security researchers started an investigation that revealed another very similar sample on Google Play. Unlike other malware authors, however, the app’s developers did not attempt to promote it in any way, suggesting they were not interested in mass spreading, which hints at APT activity.

The researchers discovered additional versions of the malware, many deployed in Google Play and removed. They featured multiple code similarities and the same functionality: information gathering and payload execution. The most recent of the samples was published on the official Android market on November 6, 2019 (Google has already removed it).

Multiple variants of the malware were identified by BlackBerry researchers too, who included information on them in a report published in October 2019. BlackBerry refers to PhantomLance as OceanMobile.

By packing the malware with payload download and execution capabilities, the threat actor “was able to avoid overloading the application with unnecessary features and at the same time gather the desired information,” Kaspersky explains.

Advertisement. Scroll to continue reading.

PhantomLance malware was mainly distributed through app marketplaces, using fake developer profiles in most cases (with associated GitHub accounts). The first versions of the apps were uploaded to the storefronts without malicious code, but later updates delivered both the malicious payloads and the code to drop and execute them.

The apps don’t mention suspicious permissions in the manifest file, but they are requested dynamically and hidden inside the dex executable. Furthermore, if root access is available, the malware uses a reflection call to an undocumented API function to get the permissions it needs.

The security researchers observed roughly 300 infection attempts since 2016, targeting Android devices in India, Vietnam, Bangladesh and Indonesia, with Nepal, Myanmar and Malaysia also affected. Vietnam was hit the most, with some malicious applications made exclusively in Vietnamese.

Kaspersky identified code similarities with an older OceanLotus campaign targeting Android users in Vietnam and China between 2014 and 2017. Similarities with macOS backdoors and infrastructure overlaps with Windows backdoors, along with cross-platform resemblances were also identified.

Thus, the researchers assess with medium confidence that OceanLotus is behind PhantomLance. In fact, they believe that PhantomLance is the successor of the threat actor’s previous Android campaign.

Also known as APT32 or APT-C-00, OceanLotus is believed to have ties to the Vietnamese government and to be well-resourced and determined. Mainly targeting corporate and government organizations in Southeast Asia, the adversary recently mounted an espionage campaign against Chinese targets, to gather information related to the current COVID-19 crisis.

“This campaign is an outstanding example of how advanced threat actors are moving further into deeper waters and becoming harder to find,” said Alexey Firsh, security researcher at Kaspersky’s Global Research & Analysis Team (GReAT). “We can also see that the use of mobile platforms as a primary infection point is becoming more popular, with more and more actors advancing in this area. These developments underline the importance of continuous improvement of threat intelligence and supporting services, which could help in tracking threat actors and finding overlaps between various campaigns.”

*Updated to mention BlackBerry research on the attacks.

Related: Vietnamese Hackers Mount COVID-19 Espionage Campaigns Against China

Related: Vietnam-Linked Hackers Use Atypical Executables to Avoid Detection

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


WASHINGTON - Cyberattacks are the most serious threat facing the United States, even more so than terrorism, according to American defense experts. Almost half...


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Artificial Intelligence

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.