{"id":35234,"date":"2020-04-30T07:50:33","date_gmt":"2020-04-30T11:50:33","guid":{"rendered":"https:\/\/www.kaspersky.com\/blog\/?p=35234"},"modified":"2020-05-18T07:15:30","modified_gmt":"2020-05-18T11:15:30","slug":"phantomlance-android-backdoor-trojan","status":"publish","type":"post","link":"https:\/\/www.kaspersky.com\/blog\/phantomlance-android-backdoor-trojan\/35234\/","title":{"rendered":"PhantomLance Android backdoor discovered on\u00a0Google Play"},"content":{"rendered":"

Last July, our colleagues at Doctor Web detected<\/a> a Trojan backdoor<\/a> on Google Play. Such discoveries are not exactly an everyday occurrence, but they\u2019re hardly unheard of\u00a0\u2014 researchers do find Trojans on Google Play, sometimes hundreds at a time.<\/p>\n

This Trojan, however, was surprisingly sophisticated for malware found on Google Play, so our experts decided to dig deeper. They conducted their own investigation<\/a> and found that the malware is part of a malicious campaign (which we dubbed PhantomLance) that\u2019s been ongoing since the end of 2015.<\/p>\n

What PhantomLance can do<\/h2>\n

Our experts detected several versions of PhantomLance. Despite their increasing complexity and the differences in time of appearance , they are fairly similar in terms of capabilities.<\/p>\n

The main objective of PhantomLance is to harvest confidential information from the victim\u2019s device. The malware is able to supply its handlers with location data, call logs, text messages, lists of installed apps, and full information about the infected smartphone. What\u2019s more, its functionality can be expanded at any moment simply by loading additional modules from the C&C server.<\/p>\n

PhantomLance distribution<\/h2>\n

Google Play is the malware\u2019s main distribution platform. It\u2019s also been found in third-party repositories, but for the most part they are only mirrors of the official Google app store.<\/p>\n

We can say for sure that apps infected with a version of the Trojan started appearing in the store in the summer of 2018. The malware was found hiding in utilities for changing fonts, removing ads, system cleanup, and so on.<\/p>\n

\"An<\/a>

An app on Google Play found to contain the PhantomLance backdoor<\/p><\/div>\n

Apps containing PhantomLance have all since been removed from Google Play, of course, but copies can still be found in mirrors. Ironically, some of these mirror repositories state that the installation package was downloaded directly from Google Play, and is thus said to be definitely virus-free.<\/p>\n

How did the cybercriminals manage to sneak their toy into Google\u2019s official store? First, for added authenticity, the attackers created a profile of each developer on GitHub. These profiles contained only some sort of license agreement. Nevertheless, having a profile on GitHub apparently lends developers respectability.<\/p>\n

Second, the apps that PhantomLance\u2019s creators initially uploaded to the store were not malicious. The first versions of the programs did not contain any suspicious features, and therefore they passed Google Play\u2019s checks with flying colors. Only some time later, with updates, did the apps acquire malicious features.<\/p>\n

PhantomLance\u2019s targets<\/h2>\n

Judging by the geography of its spread, as well as the presence of Vietnamese versions of malicious apps in online stores, we believe the top targets of PhantomLance creators were users from Vietnam.<\/p>\n

Moreover, our experts detected a number of characteristics linking PhantomLance with the OceanLotus group, which is responsible for creating a range of malware also aimed at users from Vietnam.<\/p>\n

The set of OceanLotus malware tools previously analyzed includes a family of macOS backdoors, a family of Windows backdoors, and a set of Android Trojans, whose activity was spotted in 2014\u20132017. Our experts came to the conclusion that PhantomLance succeeded the abovementioned Android Trojans starting in 2016.<\/p>\n

\"PhantomLance<\/a>

PhantomLance is linked to other OceanLotus malware weapons<\/p><\/div>\n

How to guard against PhantomLance<\/h2>\n

One of the tips we often repeat in posts about Android malware is \u201cInstall apps only from Google Play.\u201d But PhantomLance demonstrates yet again that malware can sometimes hoodwink even the Internet giants.<\/p>\n

Google takes great pains to keep its app store clean (otherwise we\u2019d run into suspicious software far more often), but the company\u2019s capabilities are not unlimited, and attackers are inventive. Therefore, the mere fact that an app is on Google Play is no guarantee of its safety. Always consider other factors:<\/p>\n