Kathy Gibson reports on the virtual Kaspersky Security Analyst Summit – As mobile devices become the most popular way for people to access the Internet, mobile advanced persistent threats (APTs), have the ability to affect thousands if not millions of smartphone users.
Alexey Firsh, security researcher at Kaspersky, offers details on the Android-based PhantomLance malware that is currently affecting some Google Play users.
Researchers first identified the malware in July 2019, and followed up with further investigation.
Once researchers started to search for samples, it found them in abundance around the world.
Lev Pikman, malware analyst at Kaspersky, points out there are several versions of PhantomLance, all of which user a new malicious technique to access user information – one which doesn’t require permissions on the device.
The malware steals sensitive data from the victim’s device, allowing them to execute additional payloads at will.
Samples are uploaded on several marketplace, with fake developer accounts used to create the apps.
Some of the infected apps are still present on several marketplaces and Google Play mirror sites, Pikman points out.
The PhantomLance actors take time and care to deliver their malware. Tactics include making a simple, clean app; uploading it to marketplaces; getting approval; scoring a positive reputation as a developer; then updating the app with a dropper code and payload.
Investigations about who is behind this sophisticated campaign is still a mystery – even though the same infrastructure has been maintained for almost five years.
“This indicates a long-term actor,” Firsch says.
Comparing previous malware campaigns, the researchers are confident that an Asian operator, OceanLotus, is responsible for PhantomLance.
“This campaign is an outstanding example of how advanced threat actors are moving further into deeper waters and becoming harder to find. PhantomLance has been going on for over five years and the threat actors managed to bypass the app stores’ filters several times, using advanced techniques to achieve their goals,” Firsch says.
“We can also see that the use of mobile platforms as a primary infection point is becoming more popular, with more and more actors advancing in this area.
“These developments underline the importance of continuous improvement of threat intelligence and supporting services, which could help in tracking threat actors and finding overlaps between various campaigns.”