Google Play falls victim to PhantomLace hacking campaign

State-sponsored hackers used Google Play to distribute malware

Skull mixed within computer code

Google Play has served as a hacker playground for years. Most recently, security researchers identified state-sponsored spies who repeatedly dumped their hacking tools into the Play store, and onto the unsuspecting users’ devices. 

Dubbed PhantomLace, researchers claim these spies hid malware in the Play store, targeting users in Vietnam, Bangladesh, Indonesia, and India. However, unlike most other shady apps found in the store, PhantomLance's hackers smuggled in data-stealing apps, consequently infecting hundreds of users.

Kaspersky’s researchers also claim to have connected PhantomLace to the hacker group OceanLotus or APT32. OceanLotus is believed to be working on behalf of the Vietnamese government, which means PhantomLance may have mixed spying on its neighbors with domestic surveillance of Vietnamese citizens. 

PhantomLace came to light in July of last year when Russian security firm Dr. Web uncovered a sample of spyware in the Google Play store. This spyware impersonated graphic design software but was also able to steal contacts, call logs, and text messages from Android users’ phones. 

Kaspersky’s research team went on to find numerous spyware apps dating back to 2015. Google had already removed some of the apps from the Play Store, but they’ve remained visible in archived mirrors of the app repository. Each app was designed to be "clean" when installed so it would bypass Google’s security, but it would later add malware to user devices during app updates and through permission requests.

Once Kaspersky identified the PhantomLance apps, its researchers could match the app’s code with malware also used by OceanLotus, which has been active since as early as 2013. 

PhantomLance isn’t the first instance of state-sponsored hackers using Google Play to distribute spy tools. Google has yet to say clearly if it’s working to prevent malicious apps from taking advantage of unsuspecting users.

Instead, the company issued a statement claiming: "We’re always working to improve our detection capabilities. We appreciate the work of the researchers in sharing their findings with us. We’ve since taken action against all the apps they identified.”

Featured Resources

Defeating ransomware with unified security from WatchGuard

How SMBs can defend against the onslaught of ransomware attacks

Free download

The IT expert’s guide to AI and content management

How artificial intelligence and machine learning could be critical to your business

Free download

The path to CX excellence

Four stages to thrive in the experience economy

Free download

Becoming an experience-based business

Your blueprint for a strong digital foundation

Free download

Most Popular

Zoom: From pandemic upstart to hybrid work giant
video conferencing

Zoom: From pandemic upstart to hybrid work giant

14 Sep 2021
What are the pros and cons of AI?
machine learning

What are the pros and cons of AI?

8 Sep 2021
Google takes down map showing homes of 111,000 Guntrader customers
data breaches

Google takes down map showing homes of 111,000 Guntrader customers

2 Sep 2021