A sophisticated, ongoing espionage campaign aimed at Android users in Asia is likely the work of the OceanLotus advanced persistent threat (APT) actor, researchers said this week.

Dubbed PhantomLance by Kaspersky, the campaign is centred around complex spyware that’s distributed via dozens of apps within the Google Play official market, as well as other outlets like the third-party marketplace known as APKpure.

The effort, though first spotted last year, stretches back to at least 2016, according to findings released at the SAS@home virtual security conference on Tuesday.


A Sophisticated Campaign

The spyware is fairly narrow in its focus when it comes to functionality, researchers said. It can gather geolocation data, call logs and contacts, and can monitor SMS activity; the malware can also gather a list of installed applications, as well as device information, such as the model and OS version.


Multiple versions of the malware have been found in various applications since being flagged back in July 2019, albeit all with the same basic toolset. All of the samples uncovered, researchers said, are connected by multiple code similarities. Once a rogue application is installed on a device, it vets the victim’s device environment, such as which Android version the person is using and the apps that are installed on the device – and then, the payload is adapted accordingly.

An example of a rogue Google Play app harbouring the spyware.

“This way, the actor was able to avoid overloading the application with unnecessary features and at the same time gather the desired information,” according to Kaspersky.

In the latest Google Play sample observed by Kaspersky, there is a clear payload; other versions use an interim step that drops an additional executable file.

“Our main theory about the reasons for all these versioning manoeuvres is that the attackers are trying to use diverse techniques to achieve their key goal, to bypass the official Google marketplace filters,” the firm explained. “And achieve it they did, as even this version passed Google’s filters and was uploaded to Google Play Store in 2019.”

The latest version also hides its suspicious permission requests; they are requested dynamically and hidden inside the dex executable.

“This seems to be a further attempt at circumventing security filtering,” according to Kaspersky. “In addition to that, there is a feature that we have not seen before: if the root privileges are accessible on the device, the malware can use a reflection call to the undocumented API function ‘setUidMode’ to get permissions it needs without user involvement.”

“In order to evade filtering mechanisms employed by marketplaces, the first versions of the application uploaded by the threat actor to marketplaces did not contain any malicious payloads,” Kaspersky researchers explained in the analysis. “However, with later updates, applications received both malicious payloads and a code to drop and execute these payloads.”

Kaspersky’s report follows previous research from BlackBerry, which connected OceanLotus to a trio of fake apps for Android last year. One of those apps supposedly provided support for high-resolution graphics on the phone (e.g. for use in games), while another purported to block ads on a phone, and a third presented itself as a browser and cache cleaner. The apps were distributed through phishing, but also to a wider set of targets via third-party app stores as well as the official Google Play Store.

BlackBerry researchers also dug into how the apps made it into the Google Play Store itself – “finding that OceanLotus went to the trouble establishing an entire fake backstory to give its malicious apps an air of legitimacy,” a spokesperson told Threatpost.

In behaviour also seen by Kaspersky, the threat actor created a fake developer profile on an associated GitHub account for each app.

“They created modified GitHub repositories that theoretically showed evidence of the developers’ code for each app, complete with public-facing ‘contact us’ email addresses to answer any questions that might arise about their ‘products,’” according to the BlackBerry research. “They even went to lengths to concoct entire privacy policies for their apps, which few people tend to actually read, but nevertheless was ironic, given that OceanLotus’ entire premise was to spy on its targets.”


A Targeted Attack

Interestingly, researchers observed that malware’s operators don’t seem interested in widescale infection. In fact, according to the firm’s telemetry, since 2016, only around 300 infection attempts were observed on Android devices — mainly in India, Vietnam, Bangladesh and Indonesia. Other infections, however, were found in Algeria, Iran and South Africa. And, several infections were found in Nepal, Myanmar and Malaysia.

“Usually if malware creators manage to upload a malicious app in the legitimate app store, they invest considerable resources into promoting the application to increase the number of installations and thus increase the number of victims,” explained the researchers in the writeup. “This wasn’t the case with these newly discovered malicious apps. It looked like the operators behind them were not interested in a mass spread. For the researchers, this was a hint of targeted APT activity.”

The types of applications that the malware mimics include Flash plugins, cleaners and updaters.


We’re Beeso IT, how can we help?

Our expert team of engineers, consultants, solution architects and project managers work right alongside our client’s internal IT teams – bringing their years of technical experience & competencies to your business on a need by need basis.

Wherever you require support, for whatever technology requirement. The Beeso IT team are on-hand locally as your global technology partner. If you are unsure of how secure your endpoints are, please contact the team today.


News source: