How Spies Snuck Malware Into the Google Play Store

Posted on Apr 30, 2020

How Spies Snuck Malware Into the Google Play Store

Malicious Android apps from the so-called PhantomLance campaign targeted hundreds of users, and at least two slipped past Google’s defenses. Google’s Play Store for Android apps has never had a reputation for the strictest protections from malware.

Shady adware and even banking trojans have managed over the years to repeatedly defy Google’s security checks. Now security researchers have found what appears to be a more rare form of Android abuse: state-sponsored spies who repeatedly slipped their targeted hacking tools into the Play Store and onto victims’ phones. Kaspersky says it has tied the PhantomLance campaign to the hacker group OceanLotus, also known as APT32, widely believed to be working on behalf of the Vietnamese government.

That suggests the PhantomLance campaign likely mixed spying on Vietnam’s Southeast Asian neighbors with domestic surveillance of Vietnamese citizens. Security firm FireEye, for instance, has linked OceanLotus to previous operations that targeted Vietnamese dissidents and bloggers. FireEye also recently spotted the group targeting China’s Ministry of Emergency Management as well as the government of the Chinese province of Wuhan, apparently searching for information related to Covid-19.