Google Play Store has been spreading advanced Android malware for years, found 8 such apps as of now

For years, Google Play Store has been spreading advanced Android malware or High-performance backdoor that can steal a wide range of sensitive data. Researchers at Kaspersky Lab have recovered at least eight Google Play apps from 2018, the representative from Kaspersky Lab said, but researchers believe that the same advanced group’s malicious applications have been seeded to Google’s official market at least since 2016, using archive scans and other approaches.

Google dropped new malware variants immediately after the Kaspersky researchers and former software firm Dr. Web identified them. Apps in the past have been removed now and what prompted the change is unknown. Third-party platforms often have backdoor applications, all of which appear to be open.

Command-and-control areas were already registered in 2015, which made the activity more probable to be registered until 2016. Code on malicious servers linking it to an established hacking group named OceanLotus (APT32, APT-C-00, and SeaLotus), causing researchers to conclude that apps are the work of this specialized party. This code includes overlaps.

Bypassing Google security

Attackers utilized numerous successful techniques (advanced Android malware) to exploit Google’s vetting process which Google use to avoid harmful applications from running. One method was to first submit a harmless version of the app and add the backdoor only after the app was accepted. Another approach was to require few or no permissions during installation, and then dynamically request them using code hidden inside the executable file. One of the most popular features was a window cleaner.

In due course, the software offered a loophole that gathered details on the infected phone including its hardware model, its Android edition, and the installed applications. Based on this info, the attackers will download and run malicious payloads unique to a particular infected computer using a malicious program. Call files, addresses, text messages, and other confidential details may be obtained from payloads.

The attackers were able to prevent detection by customizing the payload and not filling a system with unwanted parts. In a surprise, the harmful payload in the APK itself was stored in a later download.

COVID portal by Google

Alexey Firsh and Lev Pikman from the Kaspersky laboratory wrote, “Our key hypothesis of motives is that the attackers seek to use a variety of techniques to accomplish their main goal, to circumvent the official Google marketplace filter”.  “So they achieved so because the Android scanners reached only that edition and in 2019 they were submitted to Google Play Store” they added.

Officials at Google failing to tell whether or even whether the business will not use the mentioned methods to bypass the software monitoring mechanism for malicious apps. The officials then made a remark stating, “Our identification capacities are still enhanced. We thank the researchers’ efforts in communicating with us their findings. Since then all the devices that they have found have been taken by us.


PhantomLance’s key purpose is the retrieval from the victim’s computer of sensitive details. The malware provides its managers with position details, call logs, text messages, lists of apps enabled and complete device records. Moreover, the C&C server can extend its capabilities at any time simply by loading additional modules.

Most software had functions including rooting of the machines. Apps with established rooting bugs will be needed to operate on computers, or attackers could exploit faults which are not yet established to Google or the public. Kaspersky Lab scientists noticed in the applications themselves no local privilege escalation vulnerabilities but did not rule out these assaults.

Google Play to share a high-performance backdoor?

A significant function will partly address this question: the malware will access and run additional payloads on c2 servers. So it would be feasible to access any type of computer details such a machine update, the list of enabled devices, etc. The following example is true. When this specific infected computer looks appealing, based on this initial knowledge, the attackers might then send out a special payload that could be used by, for instance, LPE for their Android app. We couldn’t have all of the payloads, these people are very fantastic at OPSEC, and we can’t quite check how the payloads feel.

Another advancement that reveals the advanced applications: if root credentials are available, a reflective request is used by malware to acquire the permissions without user intervention through an undefined programmatic framework named “setUidMode.”

List of malicious apps

Package nameGoogle Play persistence date (at least)

source: Kaspersky Lab

The PhantomLance program has been named by Kaspersky Lab researchers. Based on the previously mentioned overlaps, scientists depend on the research of OceanLotus for years. Their confidence is strong. The Party threatens Asian states, activists and journalists primarily, researchers claim, concentrating in particular on objectives that are detrimental to Vietnam’s interests. Vietnamese device names and other lists.

This is not the first instance that sophisticated hackers have been using Play to distribute malware through their links to rich governments. Earlier this year, researchers discovered SideWinder, a code name for a disruptive hacker community that attacks military institutions from at least 2012, to create Google Play applications. In 2019, Egypt used Google’s official platform to kill men.

There is no risk of individuals becoming diagnosed with this community beyond a very small set of population details.

External Resouce: Kaspersky Daily

Leave a Reply