Sneaky. Encourage users to install an app, then use updates to infect it. I’m waiting to see who uses ‘in-app purchases’ to do the same thing…:
[…] Alexey Firsh, security researcher with Kaspersky, says he and his team decided to dig deeper into a Trojan backdoor that was first revealed in a July 2019 report by researchers at Dr. Web. The relatively unusual backdoor, they found, dated back to at least December 2015, the registration date of one of the domains used in the campaign, according to Firsh. The latest sample of the spying malware was present in apps on Google Play in November 2019, he says, when Kaspersky notified Google. The apps, which were a mix of dozens of consumer utility-type apps such as ad blockers, Flash plug-ins, cache cleaners, and updaters, as well Vietnamese apps for locating nearby bars and churches, were then removed from the Google Play store.
Unlike most malicious mobile apps, PhantomLance is all about targeting, and not wide-net infections or promoting its installation. The attackers created several versions of the backdoor, with dozens of samples, and when an app first went up in Google Play or other app stores, it didn’t contain malware: That was added later in the form of an update, after the user had installed it. That’s likely what allowed the apps to pass any app store vetting.