OceanLotus: Kaspersky has released an update on findings originally reported by Dr. Web in July 2019 about Android malware being distributed through fake apps. The malware, dubbed PhantomLance, could potentially steal victim’s money or display fake advertisements on their device. Dozens of applications were found after the initial report, and three different versions of the malware were analyzed. During an evaluation of the operations, many similarities were found between PhantomLance and previous operations carried out by the Vietnamese threat group OceanLotus. One of the latest samples analyzed was available on the Google Play Store and was removed shortly after being discovered. As Google works to increase its security around mobile apps that are available on the Google Play Store, threat actors are still working to find ways to distribute malicious applications. Threat actors, in this case, are utilizing alternate application marketplaces by creating fraudulent GitHub accounts that are registered as developer accounts. By using the developer account, the threat actor can upload new apps to marketplaces. At first, the threat actor will upload a non-malicious version of their app to be accepted by the marketplace, then alternate versions or updates containing the malware are uploaded after the original is accepted. In some cases, malicious updates are delivered directly to the apps after they are installed on Android devices, bypassing all security checks from the marketplace.
Written by: Nataliia Zdrok, Threat Intelligence Analyst at Binary Defense Russia’s invasion of Ukraine increased