Vietnamese hackers exploited Google Play Store for espionage campaign

Vietnamese government-linked hackers have been distributing malicious applications in the Google Play Store for at least the last four years, Kaspersky researchers said Tuesday.
Google Play Store
A Google Play Store advertisement in New York's Times Square. (Getty Images)

Hackers with suspected links to the Vietnamese government have been using the Google Play Store to distribute malicious software for the last four years, according to Kaspersky research published Tuesday.

The targeted Android campaign, which Kaspersky dubbed “PhantomLance,” affected roughly 300 devices in nearly a dozen countries including Vietnam, India, Bangladesh, Indonesia, Iran, Algeria, South Africa, Nepal, Myanmar, and Malaysia, the company said. Researchers say with “medium confidence” the espionage campaign is connected to a known hacking group, OceanLotus or APT32, previously linked to the Vietnamese government.

While attackers are targeting users in several countries, they appear to be especially focused on users in Vietnam. The effort suggests hackers are running domestic as well as foreign espionage operations, according to Kaspersky.

They have been distributing their campaign through applications which promise to help users locate the nearest pub in Vietnam, or providing information on nearby churches.


In addition to sharing APT32’s interest in victims located in Vietnam, the PhantomLance campaign’s malware, code structure and payloads overlap with known APT32 tools, Kaspersky Security Researcher Alexey Firsh said in a blog post.

It’s the latest example of apparent state-backed hackers and scammers abusing the Google Play Store to trick users into downloading malicious applications. Suspected Iranian-backed and Russian-backed groups also have taken advantage of the platform to distribute malware in previous years. Google has taken steps in the last several months to improve its approach to rooting out bad actors on its store, most recently announcing a partnership with mobile security vendors.

The company did not immediately return a request for comment.

Kaspersky’s findings build on an earlier set of malware that Dr. Web, a Russian firm, exposed on the Google Play Store last year.

Flying under the radar


Over the course of the four-year campaign, suspected APT32 attackers developed multiple versions of their malware, likely in order to bypass Google marketplace filters, Firsh said.

Hackers used fake developer profiles on GitHub, as well as falsified license agreements, to gain approval for applications that contained no malicious functionality. They would later update the applications, converting them into hacking tools.

Once installed on victims’ devices, the malware-laced applications are capable of collecting call logs and geolocation data from targets, as well as information on contacts, text messages, their device model and the operating system version.

Attackers also tailored their malware to specific devices, to varying degrees of complexity.

One type of malware was just a piece of software capable of gaining additional permissions without user interaction, for instance.


Another embedded the malicious payload in an encrypted file, which contained a decryption key. In another iteration that surfaced this year, the hackers have separated the decryption key from the malicious file, instead opting to deliver it via Google’s Firebase.

“Our main theory about the reasons for all these…maneuvers is that the attackers are trying to use diverse techniques to achieve their key goal, to bypass the official Google marketplace filters,” Firsh wrote.

Based on some of the parameters in these versions, Kaspersky assesses the Vietnamese hackers are still experimenting with some features in the campaign, and may be working on establishing a third-stage payload moving forward.

Wired first reported on the research, which Firsh presented Tuesday at a virtual session of the Security Analyst Summit.

Shannon Vavra

Written by Shannon Vavra

Shannon Vavra covers the NSA, Cyber Command, espionage, and cyber-operations for CyberScoop. She previously worked at Axios as a news reporter, covering breaking political news, foreign policy, and cybersecurity. She has appeared on live national television and radio to discuss her reporting, including on MSNBC, Fox News, Fox Business, CBS, Al Jazeera, NPR, WTOP, as well as on podcasts including Motherboard’s CYBER and The CyberWire’s Caveat. Shannon hails from Chicago and received her bachelor’s degree from Tufts University.

Latest Podcasts