Google Play falls victim to PhantomLace hacking campaign

State-sponsored hackers used Google Play to distribute malware

Skull mixed within computer code

Google Play has served as a hacker playground for years. Most recently, security researchers identified state-sponsored spies who repeatedly dumped their hacking tools into the Play store, and onto the unsuspecting users’ devices. 

Dubbed PhantomLace, researchers claim these spies hid malware in the Play store, targeting users in Vietnam, Bangladesh, Indonesia, and India. However, unlike most other shady apps found in the store, PhantomLance's hackers smuggled in data-stealing apps, consequently infecting hundreds of users.

Kaspersky’s researchers also claim to have connected PhantomLace to the hacker group OceanLotus or APT32. OceanLotus is believed to be working on behalf of the Vietnamese government, which means PhantomLance may have mixed spying on its neighbors with domestic surveillance of Vietnamese citizens. 

PhantomLace came to light in July of last year when Russian security firm Dr. Web uncovered a sample of spyware in the Google Play store. This spyware impersonated graphic design software but was also able to steal contacts, call logs, and text messages from Android users’ phones. 

Kaspersky’s research team went on to find numerous spyware apps dating back to 2015. Google had already removed some of the apps from the Play Store, but they’ve remained visible in archived mirrors of the app repository. Each app was designed to be "clean" when installed so it would bypass Google’s security, but it would later add malware to user devices during app updates and through permission requests.

Once Kaspersky identified the PhantomLance apps, its researchers could match the app’s code with malware also used by OceanLotus, which has been active since as early as 2013. 

PhantomLance isn’t the first instance of state-sponsored hackers using Google Play to distribute spy tools. Google has yet to say clearly if it’s working to prevent malicious apps from taking advantage of unsuspecting users.

Instead, the company issued a statement claiming: "We’re always working to improve our detection capabilities. We appreciate the work of the researchers in sharing their findings with us. We’ve since taken action against all the apps they identified.”

Featured Resources

How virtual desktop infrastructure enables digital transformation

Challenges and benefits of VDI

Free download

The Okta digital trust index

Exploring the human edge of trust

Free download

Optimising workload placement in your hybrid cloud

Deliver increased IT agility with the cloud

Free Download

Modernise endpoint protection and leave your legacy challenges behind

The risk of keeping your legacy endpoint security tools

Download now

Most Popular

How to move Microsoft's Windows 11 from a hard drive to an SSD
Microsoft Windows

How to move Microsoft's Windows 11 from a hard drive to an SSD

4 Jan 2022
How to boot Windows 11 in Safe Mode
Microsoft Windows

How to boot Windows 11 in Safe Mode

6 Jan 2022
Microsoft Exchange servers break thanks to 'Y2K22' bug
email delivery

Microsoft Exchange servers break thanks to 'Y2K22' bug

4 Jan 2022