Malware in Google Apps

Interesting story of malware hidden in Google Apps. This particular campaign is tied to the government of Vietnam.

At a remote virtual version of its annual Security Analyst Summit, researchers from the Russian security firm Kaspersky today plan to present research about a hacking campaign they call PhantomLance, in which spies hid malware in the Play Store to target users in Vietnam, Bangladesh, Indonesia, and India. Unlike most of the shady apps found in Play Store malware, Kaspersky’s researchers say, PhantomLance’s hackers apparently smuggled in data-stealing apps with the aim of infecting only some hundreds of users; the spy campaign likely sent links to the malicious apps to those targets via phishing emails. “In this case, the attackers used Google Play as a trusted source,” says Kaspersky researcher Alexey Firsh. “You can deliver a link to this app, and the victim will trust it because it’s Google Play.”


The first hints of PhantomLance’s campaign focusing on Google Play came to light in July of last year. That’s when Russian security firm Dr. Web found a sample of spyware in Google’s app store that impersonated a downloader of graphic design software but in fact had the capability to steal contacts, call logs, and text messages from Android phones. Kaspersky’s researchers found a similar spyware app, impersonating a browser cache-cleaning tool called Browser Turbo, still active in Google Play in November of that year. (Google removed both malicious apps from Google Play after they were reported.) While the espionage capabilities of those apps was fairly basic, Firsh says that they both could have expanded. “What’s important is the ability to download new malicious payloads,” he says. “It could extend its features significantly.”

Kaspersky went on to find tens of other, similar spyware apps dating back to 2015 that Google had already removed from its Play Store, but which were still visible in archived mirrors of the app repository. Those apps appeared to have a Vietnamese focus, offering tools for finding nearby churches in Vietnam and Vietnamese-language news. In every case, Firsh says, the hackers had created a new account and even Github repositories for spoofed developers to make the apps appear legitimate and hide their tracks.

EDITED TO ADD (7/1): This entry has been translated into Spanish.

Posted on May 5, 2020 at 6:03 AM15 Comments


Alan May 5, 2020 8:37 AM

I feel like “Malware in Google Apps” is a misleading title here, it implies that the malware was added to Google’s own first-party apps, rather than that the Play Store was used to distribute malware which seems to happen quite often.

Judy Woodruff May 5, 2020 9:23 AM

Malware hosted by an app store?

Not sure if this even qualifies as newsworthy. With the ongoing pandemic media outlets must really be scraping the bottom of the barrel to come up with content to keep their advertisers happy.

Jeff May 5, 2020 10:17 AM

The term “Google Apps” is commonly used to refer to those android applications written by Google and bundled with the OS. This is usually shortened to “GApps”, and refers to Google Maps, Google Mail, etc.

When I saw this post’s title, I thought someone had managed to subvert Google’s own code, which is a 4-alarm fire. I would suggest that title be edited to remove this impression.

Who? May 5, 2020 3:19 PM

All Google Play apps are some sort of malware, most times not even hidden inside. Why hidding something that is openly accepted by society? Screensavers wanting access to our GPS and contact lists, apps taking control of notifications on our phones, games used by CIA contractors to map the world, sometimes even places Google Street View cars cannot reach… the only difference is the ones noted in this thread have not been authorized by large US corporations or the Government itself.

Even the Android operating system is malware itself. It does nothing to protect users, but it the perfect surveillance platform for industry. The same as the Street View cars, capturing Wi-Fi networks traffic wherever possible.

By the way, Apple is not better.

Drone May 5, 2020 3:42 PM

It’s funny, today I called Bank of America asking how I can deposit my Economic Impact Payment check without having to stand in line in one of their Coronavirus infested bank branches. The Agent on the other end of the line cheerfully told me that I should install their Safe & Secure Bank of America Android App on my phone and use that to take a picture of the endorsed check then electronically deposit it. I immediately burst out laughing and told her to never use the words Android, Safe, and Secure in the same sentence! In the end the only other option was to send a paper letter to Bank of America’s regional headquarters with the endorsed check and my deposit details enclosed. Sheeesh – so much for “High Technology”.

Doug May 5, 2020 4:21 PM

@Drone: So you want a technological solution, and when they offered you one, you rejected it? And then you complain that you have to mail the check to them. What scenario would make you happy?

And sarcastic kudos for laughing at the customer service representative. I doubt that made her day better.


Who? May 5, 2020 7:50 PM

@ Doug, Drone

I guess Drone is looking for something like a web interface. It can be made relatively secure, use smartcards –or other cryptographic token– as an authenticator on a two step verification model, and choose a somewhat secure operating system — my choice would be OpenBSD. Why “secure” is synonym of smartphone is out of my comprehension but I can do some guesses.

I only hope the people that considers “secure” a smartphone is not the same running the backbone communication systems on the bank.

Who? May 5, 2020 7:59 PM

I have the same problems with my bank.

When I asked them to provide an alternative to the hyperhyped smartphones for our sensitive bank operations they answered “you know our bank operates on the Internet, right?”. My answer was “yes, I know it, this one is the very reason I opened an account on this bank twenty years ago”, and they replied “you know Internet is a network of smartphones, right?”… how can I answer to a comment like that one that does not implies me being kicked out of the bank office?

Wael May 5, 2020 9:44 PM


By the way, Apple is not better.

Why? (Goes well with your handle)

how can I answer to a comment like that one

1) O I thought the internet was a network of banks!
2) No! Enlighten me: how does affect you?
3) You mean the phone is an IoT device? How strange!
4) Pretend to be confused and say: but… but how many frogs are there in a year?

Who? May 6, 2020 3:56 AM

@ Wael

Apple is one of the members of the PRISM program; it means they have opened a front door to the US Government, that can do anything they want on customers data without a search warrant. Up to my knowledge, collaboration on the PRISM program was (is?) voluntary.

Apple is not better than Google, Microsoft or Facebook.

Of course, on the public side they are making a lot of noise with the iPhones lock mechanism, but the truth is that they were participating on that surveillance program.

Your answer to the bank staff are funny! I am worried about number three because both phones are in most cases IoT devices (lack of critical updates after a few months, poor security, no manageability at all, widely open…) and Internet is seen as an IoT deployment network. We have moved from deploying computers on it to deploying unmanaged toys. I guess they would have kicked me out with any of these answers, but I should not really care—on the first visits to their office they did not unlock my bank account but tried to sell me a credit.

Wael May 6, 2020 4:21 AM


Apple is one of the members of the PRISM program

Nobody’s safe against Class-3 adversaries (not even heads of state). I was referring to malware / general OS – ecosystem security. For Class-3 defense, one can’t depend on (or trust) cots SmartSnitch© devices.

I’m sure the specs were enhanced over the past five years!

but tried to sell me a credit.

Good! You didn’t fall for it!

UFABET May 6, 2020 9:25 AM

To make the malicious behavior harder to detect, the apps were written in native Android code—typically in the C and C++ programming languages. Android apps usually use Java to implement logic. The interface of that language provides developers with the ease of accessing multiple layers of abstraction. Native code, by contrast, is implemented in a much lower level. While Java can easily be decompiled—a process that converts binaries back into human-readable source code—it’s much harder to do this with native code.

Drone May 10, 2020 12:29 AM

@Doug, said: “What scenario would make you happy?”

Gee Doug, you’ve got a chip on your shoulder!

I guess it’s not obvious to you from my post but what’s needed is to be able to post pictures of the check on the Bank of America (BofA) Web site when I am securely logged in, just like they want me to do on their phone app, which I trust far less than their Web site. The BofA Web site already demands fairly safe passwords, 2FA, and they have my digitized signature card. However, BofA is obsessed with getting their account holders to use their mobile app, which I won’t do. I think BofA dumbs-down their Web site compared to their phone app on purpose.

@Who? said: “I guess Drone is looking for something like a web interface.”

Yup you got it. Thanks. I should have been more explicit in my OP though.

stine May 12, 2020 4:08 PM

Forget Google Maps. More than 50% of the results of the windows/linux/tcp queries I have run in the last few weeks, looking for specific error messages, have returned obvious malware/malvertising sites in the top 10. SEO should be a crime.

Leave a comment


Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via

Sidebar photo of Bruce Schneier by Joe MacInnis.