SAS@Home – Kaspersky’s security researchers have uncovered a long-running spyware campaign targeting Android users that bears the marks of Vietnam-linked hacking group OceanLotus.
Dubbed PhantomLance and active since at least 2015, the ongoing campaign employs a complex piece of spyware designed to harvest victim data. Multiple versions of the malware have been observed, some distributed via malicious applications in Google Play.
The spyware was initially uncovered by Doctor Web in July 2019, in Google Play, with capabilities such as gathering and exfiltration of information (contacts, text messages, call history, device location, and installed applications), file download and execution, file upload, shell command execution, and more.
Drawn by the spyware’s sophistication level and behavior, Kaspersky’s security researchers started an investigation that revealed another very similar sample on Google Play. Unlike other malware authors, however, the app’s developers did not attempt to promote it in any way, suggesting they were not interested in mass spreading, which hints at APT activity.
The researchers discovered additional versions of the malware, many deployed in Google Play and removed. They featured multiple code similarities and the same functionality: information gathering and payload execution. The most recent of the samples was published on the official Android market on November 6, 2019 (Google has already removed it).
Multiple variants of the malware were identified by BlackBerry researchers too, who included information on them in a report published in October 2019. BlackBerry refers to PhantomLance as OceanMobile.
By packing the malware with payload download and execution capabilities, the threat actor “was able to avoid overloading the application with unnecessary features and at the same time gather the desired information,” Kaspersky explains.
PhantomLance malware was mainly distributed through app marketplaces, using fake developer profiles in most cases (with associated GitHub accounts). The first versions of the apps were uploaded to the storefronts without malicious code, but later updates delivered both the malicious payloads and the code to drop and execute them.
The apps don’t mention suspicious permissions in the manifest file, but they are requested dynamically and hidden inside the dex executable. Furthermore, if root access is available, the malware uses a reflection call to an undocumented API function to get the permissions it needs.
The security researchers observed roughly 300 infection attempts since 2016, targeting Android devices in India, Vietnam, Bangladesh and Indonesia, with Nepal, Myanmar and Malaysia also affected. Vietnam was hit the most, with some malicious applications made exclusively in Vietnamese.
Kaspersky identified code similarities with an older OceanLotus campaign targeting Android users in Vietnam and China between 2014 and 2017. Similarities with macOS backdoors and infrastructure overlaps with Windows backdoors, along with cross-platform resemblances were also identified.
Thus, the researchers assess with medium confidence that OceanLotus is behind PhantomLance. In fact, they believe that PhantomLance is the successor of the threat actor’s previous Android campaign.
Also known as APT32 or APT-C-00, OceanLotus is believed to have ties to the Vietnamese government and to be well-resourced and determined. Mainly targeting corporate and government organizations in Southeast Asia, the adversary recently mounted an espionage campaign against Chinese targets, to gather information related to the current COVID-19 crisis.
“This campaign is an outstanding example of how advanced threat actors are moving further into deeper waters and becoming harder to find,” said Alexey Firsh, security researcher at Kaspersky’s Global Research & Analysis Team (GReAT). “We can also see that the use of mobile platforms as a primary infection point is becoming more popular, with more and more actors advancing in this area. These developments underline the importance of continuous improvement of threat intelligence and supporting services, which could help in tracking threat actors and finding overlaps between various campaigns.”
*Updated to mention BlackBerry research on the attacks.
Related: Vietnamese Hackers Mount COVID-19 Espionage Campaigns Against China
Related: Vietnam-Linked Hackers Use Atypical Executables to Avoid Detection