https://www.wired.com/story/phantomlance-google-play-malware-apt32/
By Andy Greenberg
Security
Wired.com
04/28/2020
GOOGLE'S PLAY STORE for Android apps has never had a reputation for the
strictest protections from malware. Shady adware and even banking trojans have
managed over the years to repeatedly defy Google's security checks. Now
security researchers have found what appears to be a more rare form of Android
abuse: state-sponsored spies who repeatedly slipped their targeted hacking
tools into the Play Store and onto victims' phones.
At a remote virtual version of its annual Security Analyst Summit, researchers
from the Russian security firm Kaspersky today plan to present research about a
hacking campaign they call PhantomLance, in which spies hid malware in the Play
Store to target users in Vietnam, Bangladesh, Indonesia, and India. Unlike most
of the shady apps found in Play Store malware, Kaspersky's researchers say,
PhantomLance's hackers apparently smuggled in data-stealing apps with the aim
of infecting only some hundreds of users; the spy campaign likely sent links to
the malicious apps to those targets via phishing emails. "In this case, the
attackers used Google Play as a trusted source," says Kaspersky researcher
Alexey Firsh. "You can deliver a link to this app, and the victim will trust it
because it’s Google Play."
Kaspersky says it has tied the PhantomLance campaign to the hacker group
OceanLotus, also known as APT32, widely believed to be working on behalf of the
Vietnamese government. That suggests the PhantomLance campaign likely mixed
spying on Vietnam's Southeast Asian neighbors with domestic surveillance of
Vietnamese citizens. Security firm FireEye, for instance, has linked OceanLotus
to previous operations that targeted Vietnamese dissidents and bloggers.
FireEye also recently spotted the group targeting China's Ministry of Emergency
Management as well as the government of the Chinese province of Wuhan,
apparently searching for information related to Covid-19.
[...]
--
Subscribe to InfoSec News
https://www.infosecnews.org/subscribe-to-infosec-news/
https://twitter.com/infosecnews_
