It’s widely known that the Google Play Store is not as locked down to threats as Apple’s App Store is; however, end users do still expect a certain baseline level of security from it. Google Play security is sometimes more reactive than proactive, but there is an expectation that spyware and malware apps that slip through the cracks will eventually be identified and removed. Android users may need to lower their expectations even further, however, as a new campaign run by state-sponsored hackers appears to have been passing data-siphoning malware through approved apps for years.
To be fair to Google, this campaign’s spyware apps were repeatedly identified and removed from the Play Store. However, the state-sponsored hackers behind the attack were able to keep coming back with new variants and have possibly been doing this since 2015. Some version of another of their spyware-laced app was available until November 2019, and some of the variants persisted on the Play Store for over a year before being removed.
The PhantomLance spyware campaign
Kaspersky researchers outlined the “PhantomLance” spyware campaign at this year’s Security Analyst Summit. The campaign appears to originate from a group of state-sponsored hackers based in Vietnam, and was focused on targets both in Vietnam and in other South Asian countries.
The Kaspersky report describes the espionage campaign as being focused on a relatively small amount of people in the region, ultimately compromising only a few hundred users. It appears that the spyware app was not advertised or designed to be stumbled across by Google Play customers; most of the infections appear to have stemmed from a phishing email sent to a specific target. The vast majority of the infections took place in Vietnam, with only an additional handful in China. The state-sponsored hackers made attempts on a number of other countries in the region, but these did not appear to be successful.
The spyware creates covert backdoors that allow the attackers to exfiltrate a great deal of information from the device: text messages, location data, contact lists, call logs, a list of installed applications and the device model and OS version number. It is also capable of executing shell commands from the attacker’s command server and downloading further malicious payloads to the device.
All of this indicates that the purpose of PhantomLance was espionage of targets both domestic and in neighboring countries. The state-sponsored hackers connected to the campaign, OceanLotus (aka APT32), have been known to range far and wide conducting spying campaigns on behalf of the Vietnamese government for some years now. The advanced persistent threat group has also been recently implicated in an attempt to spy on China’s Ministry of Emergency Management and Wuhan government officials to gather coronavirus information, and has been popping up throughout the world regularly since first being spotted using hacking tools against Vietnamese journalists and bloggers in 2014.
Reconsidering the reach of state-sponsored hackers into the Play Store
Though the group’s Play Store spyware was not detected until July of 2019, investigation after the fact indicates that OceanLotus had been successfully uploading similar apps since 2015. Prior apps had been removed by Google, but it does not appear that a connection was made between them until recently. This allowed the state-sponsored hackers to simply keep coming back with new apps containing similar spyware whenever one was removed. Though the Kaspersky researchers were the first to make the connections and pull all of this information together, researchers with both Anity Labs and Blackberry noted OceanLotus spyware present in Play Store apps in reports published in 2019.
It is difficult to guess at Google’s internal security practices, but the response to the PhantomLance campaign indicates that the Play Store screening process is heavily front-loaded. If an app can pass the initial check to be approved for the store, there appears to be much more leeway for a threat actor to pass spyware via updates once it is installed. Google does eventually track malicious apps down, but it can take months to do so and the system may be reliant on user flagging after a compromise has been discovered.
Organizations that allow Android apps on company devices would be well-served to add an extra layer of security, as Josh Bohls, CEO of Inkscreen, observes: “This once again demonstrates that Google Play Protect is a threadbare security blanket for Android devices and cannot be relied upon to protect against malware and malicious code. If your business allows Android devices into the workplace it is critical to manage them with a reputable EMM with threat detection capabilities, and to severely limit the applications that can be installed.”