Google Play falls victim to PhantomLace hacking campaign

Skull mixed within computer code

Google Play has served as a hacker playground for years. Most recently, security researchers identified state-sponsored spies who repeatedly dumped their hacking tools into the Play store, and onto the unsuspecting users’ devices.

Dubbed PhantomLace, researchers claim these spies hid malware in the Play store, targeting users in Vietnam, Bangladesh, Indonesia, and India. However, unlike most other shady apps found in the store, PhantomLance's hackers smuggled in data-stealing apps, consequently infecting hundreds of users.

Kaspersky’s researchers also claim to have connected PhantomLace to the hacker group OceanLotus or APT32. OceanLotus is believed to be working on behalf of the Vietnamese government, which means PhantomLance may have mixed spying on its neighbors with domestic surveillance of Vietnamese citizens.

PhantomLace came to light in July of last year when Russian security firm Dr. Web uncovered a sample of spyware in the Google Play store. This spyware impersonated graphic design software but was also able to steal contacts, call logs, and text messages from Android users’ phones.

Kaspersky’s research team went on to find numerous spyware apps dating back to 2015. Google had already removed some of the apps from the Play Store, but they’ve remained visible in archived mirrors of the app repository. Each app was designed to be "clean" when installed so it would bypass Google’s security, but it would later add malware to user devices during app updates and through permission requests.

Once Kaspersky identified the PhantomLance apps, its researchers could match the app’s code with malware also used by OceanLotus, which has been active since as early as 2013.

PhantomLance isn’t the first instance of state-sponsored hackers using Google Play to distribute spy tools. Google has yet to say clearly if it’s working to prevent malicious apps from taking advantage of unsuspecting users.

Instead, the company issued a statement claiming: "We’re always working to improve our detection capabilities. We appreciate the work of the researchers in sharing their findings with us. We’ve since taken action against all the apps they identified.”