Kaspersky identified eight apps that hid malware capable of spying on users and stealing personal data. Here’s what they are
The Google Play Store continues to be a breeding ground for cybercriminals who, in one way or another, still manage to circumvent security checks prior to publishing apps and put infected apps on the store.
In July 2019, Russian cybersecurity firm Dr. Web discovered a backdoor trojan inside some apps on the Google Play Store, which appeared to be far more sophisticated and certainly different from more common malware. Since then another cybersecurity company, Kaspersly, has conducted a more thorough investigation, uncovering a long-term campaign that has been dubbed “PhantomLance”. According to Kaspersky, the hacker group behind PhantomLance had been operating since December 2015. One of the latest infected apps was published on the Play Store on November 6, 2019. Kaspersky informed Google about the malware contained in the app, which was removed from the store shortly thereafter. But the apps containing the same malware were more: a total of eight, six of which were removed already in 2018, the others in 2019.
Android apps, how dangerous malware acts
In the various apps discovered by Kaspersky and removed by Google there was not always the exact same malware, but different variants. And this is one of the strategies of the groups behind these campaigns: to spread different malware all the time, to make it harder to identify. But the functionality of all these versions is similar: the main purpose of the spyware was to collect confidential information such as geolocation, call logs, access to contacts and SMS. Alcune versioni del malware accedevano anche all’elenco delle app installate e ad altre informazioni sul dispositivo, come modello dello smartphone e versione del sistema operativo. Infine, il malware poteva scaricare altro software pericoloso.
App pericolose: quali sono
Le ultime otto app afferenti alla campagna PhantomLance, scoperte e rimosse, sono:
- com.zimice.browserturbo
- com.physlane.opengl
- com.unianin.adsskipper
- com.codedexon.prayerbook
- com.luxury.BeerAddress
- com.luxury.BiFinBall
- com.zonjob.browsercleaner
- com.linevialab.ffont
Alcune di queste app non erano altro che la copia di altre app, legittime, con il malware dentro.
Una campagna molto sofisticata
Va detto, però, che tracce della campagna PhantomLance sono state trovate da Kaspersky anche in altri store, come ApkPure. Moreover, the cyber security company’s researchers found that 20% of the dangerous code downloaded from the various versions of this malware was very similar to that already seen during one of the old Android campaigns associated with OceanLotus, a hacker group active since at least 2013 mainly in Southeast Asia. This is also why Kaspersky is almost certain that the PhantomLance campaign is linked to OceanLotus.