- A+
PhantomLance间谍活动主要针对特定受害者,主要是在东南亚,这可能是OceanLotus APT的工作。
研究人员本周表示,针对亚洲Android用户的复杂,持续的间谍活动可能是OceanLotus高级持续威胁(APT)演员的工作。
Dubbed PhantomLance by Kaspersky, the campaign is centered around a complex spyware that’s distributed via dozens of apps within the Google Play official market, as well as other outlets like the third-party marketplace known as APKpure.
The effort, though first spotted last year, stretches back to at least 2016, according to findings released at the SAS@home virtual security conference on Tuesday.
A Sophisticated Campaign
The spyware is fairly narrow in its focus when it comes to functionality, researchers said. It can gather geolocation data, call logs and contacts, and can monitor SMS activity; the malware can also gather a list of installed applications, as well as device information, such as the model and OS version.
Multiple versions of the malware have been found in various applications since being flagged back in July 2019, albeit all with the same basic tool set. All of the samples uncovered, researchers said, are connected by multiple code similarities. Once a rogue application is installed on a device, it vets the victim’s device environment, such as which Android version the person is using and the apps that are installed on the device – and then, the payload is adapted accordingly.
“This way, the actor was able to avoid overloading the application with unnecessary features and at the same time gather the desired information,” according to Kaspersky.
In the latest Google Play sample observed by Kaspersky, there is a clear payload; other versions use an interim step that drops an additional executable file.
“Our main theory about the reasons for all these versioning maneuvers is that the attackers are trying to use diverse techniques to achieve their key goal, to bypass the official Google marketplace filters,” the firm explained. “And achieve it they did, as even this version passed Google’s filters and was uploaded to Google Play Store in 2019.”
The latest version also hides its suspicious permission requests; they are requested dynamically and hidden inside the dex executable.
“This seems to be a further attempt at circumventing security filtering,” according to Kaspersky. “In addition to that, there is a feature that we have not seen before: if the root privileges are accessible on the device, the malware can use a reflection call to the undocumented API function ‘setUidMode’ to get permissions it needs without user involvement.”
In a further attempt to make the applications seem legitimate, the threat actor created a fake developer profile on an associated Github account.
“In order to evade filtering mechanisms employed by marketplaces, the first versions of the application uploaded by the threat actor to marketplaces did not contain any malicious payloads,” Kaspersky researchers explained in the analysis. “However, with later updates, applications received both malicious payloads and a code to drop and execute these payloads.”
A Targeted Attack
Interestingly, researchers observed that the malware’s operators don’t seem interested in widescale infection. In fact, according to the firm’s telemetry, since 2016, only around 300 infection attempts were observed on Android devices — mainly in India, Vietnam, Bangladesh and Indonesia. Other infections, however, were found in Algeria, Iran and South Africa. And, several infections were found in Nepal, Myanmar and Malaysia.
“Usually if malware creators manage to upload a malicious app in the legitimate app store, they invest considerable resources into promoting the application to increase the number of installations and thus increase the number of victims,” explained the researchers in the writeup. “This wasn’t the case with these newly discovered malicious apps. It looked like the operators behind them were not interested in mass spread. For the researchers, this was a hint of targeted APT activity.”
The types of applications that the malware mimics include Flash plugins, cleaners and updaters.
Vietnam in particular saw a large number of attempted attacks; and, some malicious applications used in the campaign were also made exclusively in Vietnamese. These include “Tim quan nhau | Tìm quán nhậu” (“Find each other | Find pubs” in Vietnamese); and “Địa Điểm Nhà Thờ” (“Church Place”).
The OceanLotus Connection
Kaspersky researchers determined in their research that the PhantomLance payloads were at least 20 percent similar to those used in an older Android campaign associated with OceanLotus. Also, there were several other overlaps with OceanLotus activity that has been seen targeting Windows and MacOS users. The firm is assessing with “medium confidence” that PhantomLance could be the work of the cyber-espionage group.
OceanLotus is a Vietnam-linked APT that has been in operation since at least 2013, also known as APT32. Its targets are mostly located in Southeast Asia. Recently, from at least January to April, the FireEye Mandiant researchers have seen the group attacking China’s Ministry of Emergency Management, as well as the government of Wuhan province, in an apparent bid to steal intelligence regarding the country’s COVID-19 response.
Kaspersky reported all discovered PhantomLance samples to the owners of legitimate app stores in which they were found, and Google Play has removed the known apps, but the campaign is ongoing, according to the firm.
“This campaign is an outstanding example of how advanced threat actors are moving further into deeper waters and becoming harder to find,” said Alexey Firsh, security researcher at Kaspersky’s GReAT division, who delivered a session at the SAS@home virtual summit on the campaign. “PhantomLance has been going on for over five years and the threat actors managed to bypass the app stores’ filters several times, using advanced techniques to achieve their goals. We can also see that the use of mobile platforms as a primary infection point is becoming more popular, with more and more actors advancing in this area.”
Inbox security is your best defense against today’s fastest growing security threat – phishing and Business Email Compromise attacks. On May 13 at 2 p.m. ET, join Valimail security experts and Threatpost for a FREE webinar, 5 Proven Strategies to Prevent Email Compromise. Get exclusive insights and advanced takeaways on how to lockdown your inbox to fend off the latest phishing and BEC assaults. Please register here for this sponsored webinar.