Google Play falls victim to PhantomLace hacking campaign

State-sponsored hackers used Google Play to distribute malware


Google Play has served as a hacker playground for years. Most recently, security researchers identified state-sponsored spies who repeatedly dumped their hacking tools into the Play store, and onto the unsuspecting users’ devices. 

Dubbed PhantomLace, researchers claim these spies hid malware in the Play store, targeting users in Vietnam, Bangladesh, Indonesia, and India. However, unlike most other shady apps found in the store, PhantomLance's hackers smuggled in data-stealing apps, consequently infecting hundreds of users.

Kaspersky’s researchers also claim to have connected PhantomLace to the hacker group OceanLotus or APT32. OceanLotus is believed to be working on behalf of the Vietnamese government, which means PhantomLance may have mixed spying on its neighbors with domestic surveillance of Vietnamese citizens. 

PhantomLace came to light in July of last year when Russian security firm Dr. Web uncovered a sample of spyware in the Google Play store. This spyware impersonated graphic design software but was also able to steal contacts, call logs, and text messages from Android users’ phones. 

Kaspersky’s research team went on to find numerous spyware apps dating back to 2015. Google had already removed some of the apps from the Play Store, but they’ve remained visible in archived mirrors of the app repository. Each app was designed to be "clean" when installed so it would bypass Google’s security, but it would later add malware to user devices during app updates and through permission requests.

Once Kaspersky identified the PhantomLance apps, its researchers could match the app’s code with malware also used by OceanLotus, which has been active since as early as 2013. 

PhantomLance isn’t the first instance of state-sponsored hackers using Google Play to distribute spy tools. Google has yet to say clearly if it’s working to prevent malicious apps from taking advantage of unsuspecting users.

Instead, the company issued a statement claiming: "We’re always working to improve our detection capabilities. We appreciate the work of the researchers in sharing their findings with us. We’ve since taken action against all the apps they identified.”

Featured Resources

Four cyber security essentials that your board of directors wants to know

The insights to help you deliver what they need

Download now

Data: A resource much too valuable to leave unprotected

Protect your data to protect your company

Download now

Improving cyber security for remote working

13 recommendations for security from any location

Download now

Why CEOS should care about the move to SAP S/4HANA

And how they can accelerate business value

Download now

Most Popular

macOS Big Sur is bricking some older MacBooks
operating systems

macOS Big Sur is bricking some older MacBooks

16 Nov 2020
46 million Animal Jam accounts leaked after comms software breach

46 million Animal Jam accounts leaked after comms software breach

13 Nov 2020
How computing has revolutionised Formula 1

How computing has revolutionised Formula 1

11 Nov 2020