Google Play falls victim to PhantomLace hacking campaign

State-sponsored hackers used Google Play to distribute malware

Skull mixed within computer code

Google Play has served as a hacker playground for years. Most recently, security researchers identified state-sponsored spies who repeatedly dumped their hacking tools into the Play store, and onto the unsuspecting users’ devices. 

Dubbed PhantomLace, researchers claim these spies hid malware in the Play store, targeting users in Vietnam, Bangladesh, Indonesia, and India. However, unlike most other shady apps found in the store, PhantomLance's hackers smuggled in data-stealing apps, consequently infecting hundreds of users.

Kaspersky’s researchers also claim to have connected PhantomLace to the hacker group OceanLotus or APT32. OceanLotus is believed to be working on behalf of the Vietnamese government, which means PhantomLance may have mixed spying on its neighbors with domestic surveillance of Vietnamese citizens. 

PhantomLace came to light in July of last year when Russian security firm Dr. Web uncovered a sample of spyware in the Google Play store. This spyware impersonated graphic design software but was also able to steal contacts, call logs, and text messages from Android users’ phones. 

Kaspersky’s research team went on to find numerous spyware apps dating back to 2015. Google had already removed some of the apps from the Play Store, but they’ve remained visible in archived mirrors of the app repository. Each app was designed to be "clean" when installed so it would bypass Google’s security, but it would later add malware to user devices during app updates and through permission requests.

Once Kaspersky identified the PhantomLance apps, its researchers could match the app’s code with malware also used by OceanLotus, which has been active since as early as 2013. 

PhantomLance isn’t the first instance of state-sponsored hackers using Google Play to distribute spy tools. Google has yet to say clearly if it’s working to prevent malicious apps from taking advantage of unsuspecting users.

Instead, the company issued a statement claiming: "We’re always working to improve our detection capabilities. We appreciate the work of the researchers in sharing their findings with us. We’ve since taken action against all the apps they identified.”

Featured Resources

Consumer choice and the payment experience

A software provider's guide to getting, growing, and keeping customers

Download now

Prevent fraud and phishing attacks with DMARC

How to use domain-based message authentication, reporting, and conformance for email security

Download now

Business in the new economy landscape

How we coped with 2020 and looking ahead to a brighter 2021

Download now

How to increase cyber resilience within your organisation

Cyber resilience for dummies

Download now

Most Popular

How to find RAM speed, size and type
Laptops

How to find RAM speed, size and type

16 Jun 2021
EU plans to launch bloc-wide cyber task force
cyber attacks

EU plans to launch bloc-wide cyber task force

22 Jun 2021
What is HTTP error 400 and how do you fix it?
Network & Internet

What is HTTP error 400 and how do you fix it?

16 Jun 2021