Google Play Store logo on mobile showing state-sponsored hackers pushing spyware through authorized Google Play downloads for years

State-Sponsored Hackers Have Been Pushing Spyware Through Authorized Google Play Downloads for Years

It’s widely known that the Google Play Store is not as locked down to threats as Apple’s App Store is; however, end users do still expect a certain baseline level of security from it. Google Play security is sometimes more reactive than proactive, but there is an expectation that spyware and malware apps that slip through the cracks will eventually be identified and removed. Android users may need to lower their expectations even further, however, as a new campaign run by state-sponsored hackers appears to have been passing data-siphoning malware through approved apps for years.

To be fair to Google, this campaign’s spyware apps were repeatedly identified and removed from the Play Store. However, the state-sponsored hackers behind the attack were able to keep coming back with new variants and have possibly been doing this since 2015. Some version of another of their spyware-laced app was available until November 2019, and some of the variants persisted on the Play Store for over a year before being removed.

The PhantomLance spyware campaign

Kaspersky researchers outlined the “PhantomLance” spyware campaign at this year’s Security Analyst Summit. The campaign appears to originate from a group of state-sponsored hackers based in Vietnam, and was focused on targets both in Vietnam and in other South Asian countries.

The Kaspersky report describes the espionage campaign as being focused on a relatively small amount of people in the region, ultimately compromising only a few hundred users. It appears that the spyware app was not advertised or designed to be stumbled across by Google Play customers; most of the infections appear to have stemmed from a phishing email sent to a specific target. The vast majority of the infections took place in Vietnam, with only an additional handful in China. The state-sponsored hackers made attempts on a number of other countries in the region, but these did not appear to be successful.

The spyware creates covert backdoors that allow the attackers to exfiltrate a great deal of information from the device: text messages, location data, contact lists, call logs, a list of installed applications and the device model and OS version number. It is also capable of executing shell commands from the attacker’s command server and downloading further malicious payloads to the device.

All of this indicates that the purpose of PhantomLance was espionage of targets both domestic and in neighboring countries. The state-sponsored hackers connected to the campaign, OceanLotus (aka APT32), have been known to range far and wide conducting spying campaigns on behalf of the Vietnamese government for some years now. The advanced persistent threat group has also been recently implicated in an attempt to spy on China’s Ministry of Emergency Management and Wuhan government officials to gather coronavirus information, and has been popping up throughout the world regularly since first being spotted using hacking tools against Vietnamese journalists and bloggers in 2014.

Reconsidering the reach of state-sponsored hackers into the Play Store

Though the group’s Play Store spyware was not detected until July of 2019, investigation after the fact indicates that OceanLotus had been successfully uploading similar apps since 2015. Prior apps had been removed by Google, but it does not appear that a connection was made between them until recently. This allowed the state-sponsored hackers to simply keep coming back with new apps containing similar spyware whenever one was removed. Though the Kaspersky researchers were the first to make the connections and pull all of this information together, researchers with both Anity Labs and Blackberry noted OceanLotus spyware present in Play Store apps in reports published in 2019.

The spyware apps tended to offer services to speakers of Vietnamese, such as regional news or tools for finding nearby churches. The malware delivery was fairly sophisticated; the apps tended to be free of any questionable elements upon initial install, but would incorporate it with an update afterward. The state-sponsored hackers also took the extra step of creating fake Github repositories to make the apps look more authentic. They even created a privacy policy and “contact us” query forms for each one.

Though APT32 is certainly a capable threat group, their success in maintaining a presence on the Play Store for over half a decade leads one to wonder whether the “heavy hitters” of the world of state-sponsored hackers are running even more sophisticated covert actions on the platform. This year alone Google has already removed 24 apps that were found to be passing personal data back to Chinese servers, and Russia-based hacker groups have been caught with their hands in the cookie jar as well.

A gaping hole in the Google firewall?

It is difficult to guess at Google’s internal security practices, but the response to the PhantomLance campaign indicates that the Play Store screening process is heavily front-loaded. If an app can pass the initial check to be approved for the store, there appears to be much more leeway for a threat actor to pass spyware via updates once it is installed. Google does eventually track malicious apps down, but it can take months to do so and the system may be reliant on user flagging after a compromise has been discovered.

Organizations that allow Android apps on company devices would be well-served to add an extra layer of security, as Josh Bohls, CEO of Inkscreen, observes: “This once again demonstrates that Google Play Protect is a threadbare security blanket for Android devices and cannot be relied upon to protect against malware and malicious code. If your business allows Android devices into the workplace it is critical to manage them with a reputable EMM with threat detection capabilities, and to severely limit the applications that can be installed.”