Google: App Quality Control?
May 21, 2020
It appears APT group OceanLotus, believed to originate in Vietnam, managed to play Google Play and other app marketplaces for half a decade. DarkReading reports, “5-Year-Long Cyber Espionage Campaign Hid in Google Play.” The attack campaign, dubbed “PhantomLance” by Kaspersky and called “Operation Oceanmobile” by BlackBerry researchers, mainly targeted Android users in Southeast Asia. The malware managed to evade detection in part by changing up its code over time. BlackBerry published their investigation last October, while Kaspersky recently revealed new details. The malicious code was hidden in utility apps like ad blockers, Flash plug-ins, and cache cleaners as well as (interestingly) Vietnamese apps for finding local churches and bars. Writer Kelly Jackson Higgins cites Kaspersky researcher Alexey Firsh:
“Firsh says he and his team decided to dig deeper into a Trojan backdoor that was first revealed in a July 2019 report by researchers at Dr. Web. The relatively unusual backdoor, they found, dated back to at least December 2015, the registration date of one of the domains used in the campaign, according to Firsh. The latest sample of the spying malware was present in apps on Google Play in November 2019, he says, when Kaspersky notified Google. … The attackers created several versions of the backdoor, with dozens of samples, and when an app first went up in Google Play or other app stores, it didn’t contain malware: That was added later in the form of an update, after the user had installed it.”
Sneaky. The attackers also used different encryption keys and separate infrastructures. They even went to the trouble of writing realistic privacy policies for each app, maintaining customer service emails addresses where they actually answered questions, and creating a fake developer profile on GitHub to look legit. Higgins explains what the software was up to:
“The malware performs the usual spy stuff, gathering geolocation information, call logs, contact lists, and SMS messages, as well as information on the victim’s device, such as model, operating system, and installed apps. ‘But we see that it also has the ability to execute special shell commands from the [C2] server and download additional payloads on the victim’s device,’ Firsh explains.”
Also known as APT32, OceanLotus has targeted Vietnamese dissidents, journalists, and other citizens as well as industries in China, the Philippines, Germany, the UK, and the US.
Cynthia Murrell, May 21, 2020