OceanLotus: Kaspersky has released an update on findings originally reported by Dr. Web in July 2019 about Android malware being distributed through fake apps. The malware, dubbed PhantomLance, could potentially steal victim’s money or display fake advertisements on their device. Dozens of applications were found after the initial report, and three different versions of the malware were analyzed. During an evaluation of the operations, many similarities were found between PhantomLance and previous operations carried out by the Vietnamese threat group OceanLotus. One of the latest samples analyzed was available on the Google Play Store and was removed shortly after being discovered. As Google works to increase its security around mobile apps that are available on the Google Play Store, threat actors are still working to find ways to distribute malicious applications. Threat actors, in this case, are utilizing alternate application marketplaces by creating fraudulent GitHub accounts that are registered as developer accounts. By using the developer account, the threat actor can upload new apps to marketplaces. At first, the threat actor will upload a non-malicious version of their app to be accepted by the marketplace, then alternate versions or updates containing the malware are uploaded after the original is accepted. In some cases, malicious updates are delivered directly to the apps after they are installed on Android devices, bypassing all security checks from the marketplace.
Attacks were seen as early as 2016 and the most recent malware versions were found in early 2020. In most cases, the malware-ridden applications were distributed through marketplaces that are not as popular as the Google Play Store. It is important to only download applications that are approved by the Google Play Store and avoid downloading applications from third-party websites or lesser-known app marketplaces. OceanLotus has been known to target Southeast Asian countries including the Philippines and Laos, where some of these attacks took place. Attacks were also seen in parts of Africa, Iran, and India.
The report from Kaspersky and IOC’s can be found here: https://securelist.com/apt-phantomlance/96772/