SIMILAR ARTICLES:

Google Is Finally Making Chrome Extensions More Secure

Thousands of Android Apps Are Silently Accessing Your Data

The Internet’s Horrifying Way to Get Google Apps on Huawei Phones

How Android Fought an Epic Botnet—and Won

Limit How Long Google Keeps Your Data With This Overdue Setting

Google Is Finally Rolling Out its Own RCS in the US

Why 'Zero Day' Android Hacking Now Costs More Than iOS Attacks

Hacker Eva Galperin Has a Plan to Eradicate Stalkerware

Adware Is the Malware You Should Actually Be Worried About

All the Ways Google Tracks You—And How to Stop It

You'll Soon Be Able to Run Linux Apps on Any Chromebook

Google Recalls Titan Security Key Over a Bluetooth Flaw

Uninstall ToTok, an Alleged Emirati Spy App, From Your Phone Now

A Hidden Nest Secure Mic, Facebook's Dead VPN, and More Security News This Week

Three Years of Misery Inside Google, the Happiest Company in Tech

Google Will Now Require Suppliers to Give Benefits to Workers

Everything Big Google Announced at I/O Today

An Android Vulnerability Went Unfixed for Over Five Years

Amid Its Covid-19 Crisis, China Was Still Hacking Uighurs’ iPhones

When Google Serves Ads in Iran, Advertisers Pay the Price

Android Is Helping Kill Passwords on a Billion Devices

How Spies Snuck Malware Into the Google Play Store—Again and Again

Google's Play Store for Android apps has never had a reputation for the strictest protections from malware. Shady adware and even banking trojans have managed over the years to repeatedly defy Google's security checks . Now security researchers have found what appears to be a more rare form of Android abuse: state-sponsored spies who repeatedly slipped their targeted hacking tools into the Play Store and onto victims' phones.At a remote virtual version of its annual Security Analyst Summit, researchers from the Russian security firm Kaspersky today plan to present research about a hacking campaign they call PhantomLance, in which spies hid malware in the Play Store to target users in Vietnam, Bangladesh, Indonesia, and India. Unlike most of the shady apps found in Play Store malware, Kaspersky's researchers say, PhantomLance's hackers apparently smuggled in data-stealing apps with the aim of infecting only some hundreds of users; the spy campaign likely sent links to the malicious apps to those targets via phishing emails. "In this case, the attackers used Google Play as a trusted source," says Kaspersky researcher Alexey Firsh. "You can deliver a link to this app, and the victim will trust it because it’s Google Play."

READ ALSO:

'Exodus' Spyware Posed as a Legit iOS App

Kaspersky says it has tied the PhantomLance campaign to the hacker group OceanLotus, also known as APT32, widely believed to be working on behalf of the Vietnamese government. That suggests the PhantomLance campaign likely mixed spying on Vietnam's Southeast Asian neighbors with domestic surveillance of Vietnamese citizens. Security firm FireEye, for instance, has linked OceanLotus to previous operations that targeted Vietnamese dissidents and bloggers. FireEye also recently spotted the group targeting China's Ministry of Emergency Management as well as the government of the Chinese province of Wuhan, apparently searching for information related to Covid-19.The first hints of PhantomLance's campaign focusing on Google Play came to light in July of last year. That's when Russian security firm Dr. Web found a sample of spyware in Google's app store that impersonated a downloader of graphic design software but in fact had the capability to steal contacts, call logs, and text messages from Android phones. Kaspersky's researchers found a similar spyware app, impersonating a browser cache-cleaning tool called Browser Turbo, still active in Google Play in November of that year. (Google removed both malicious apps from Google Play after they were reported.) While the espionage capabilities of those apps was fairly basic, Firsh says that they both could have expanded. "What's important is the ability to download new malicious payloads," he says. "It could extend its features significantly."

READ ALSO:

Most Android Antivirus Apps Are Garbage

Kaspersky went on to find tens of other, similar spyware apps dating back to 2015 that Google had already removed from its Play Store, but which were still visible in archived mirrors of the app repository. Those apps appeared to have a Vietnamese focus, offering tools for finding nearby churches in Vietnam and Vietnamese-language news. In every case, Firsh says, the hackers had created a new account and even Github repositories for spoofed developers to make the apps appear legitimate and hide their tracks. In total, Firsh says, Kaspersky's antivirus software detected the malicious apps attempting to infect around 300 of its customers phones.

READ ALSO:

Google Play Store’s Malware Problem, and More Security News This Week

Security News This Week: Google Play Store Has a Malware Problem. Working together with security researchers, a Motherboard investigation found that more than 20 Android apps in the Google Play Store were actually spyware that may have been developed for the Italian government.

In most instances, those earlier apps hid their intent better than the two that had lingered in Google Play. They were designed to be "clean" at the time of installation and only later add all their malicious features in an update. "We think this is the main strategy for these guys," says Firsh. In some cases, those malicious payloads also appeared to exploit "root" privileges that allowed them to override Android's permission system, which requires apps to ask for a user's consent before accessing data like contacts and text messages. Kaspersky says it wasn't able to find the actual code that the apps would use to hack Android's operating system and gain those privileges.

READ ALSO:

Alleged Spy App ToTok Puts Apple in a Bind

The article source: www.wired.com
Tags: firsh, app, google, play, store, apps, security, campaign, android, kaspersky, phantomlance,