'Hackers have been using Google Play for years to distribute an
unusually advanced backdoor capable of stealing a wide range of
sensitive data, researchers said on Tuesday.
Researchers from security firm Kaspersky Lab have recovered at least
eight Google Play apps that date back to 2018, a Kaspersky Lab
representative said, but based on archive searches and other methods,
the researchers believe malicious apps from the same advanced group
seeded Google’s official market since at least 2016.
Google removed recent versions of the malware shortly after the
researchers from Kaspersky, and earlier fellow security firm Dr. Web,
reported them. Apps from earlier were already removed, and it’s not
clear what prompted the move. Third-party markets have also hosted the
backdoored apps, and many of them remain available.
Command-and-control domains were registered as early as 2015, raising
the possibility the operation goes back earlier than 2016. Code in the
malware and command servers it connects to contain several overlaps
with a known hacking group dubbed OceanLotus (aka APT32, APT-C-00, and
SeaLotus), leading researchers to believe the apps are the work of
that advanced group.'
Dept. of Computer Science
University of Waikato, NZ
+64 (7) 858-5174