Kaspersky investigated the malware campaign after last July Dr Web discovered a backdoor trojan on the Google Play Store. This allowed cybercriminals to remotely control infected Android devices and spy on users, with this threat later being attributed to OceanLotus.
And in their findings Kaspersky found multiple code similarities between the previous Android campaign and the latest one.
The Kaspersky report said: “The threat actor was able to download and execute various malicious payloads, and thus adapt the payload that would be suitable to the specific device environment, such as the Android version and installed apps. This way, the actor was able to avoid overloading the application with unnecessary features and at the same time gather the desired information”.
Kaspersky listed a number of the Android apps which contained PhantomLance malware. Here are the names of the packages…