What Is PhantomLance? A Comprehensive Explanation


PhantomLance is a least heard phrase in the Android world. You would be surprised to know about a campaign that started around the end of 2015, where cybercriminals were able to upload malware to previously developed android applications listed in the play store and other markets. It is known as a backdoor trojan, which is a very sophisticated malware that aims at stealing users’ money and displaying ads.

In simple terms, we can say, attackers were able to inject malware to apps via backdoor as a trojan even after Google’s tight security policies and periodic check-up. In 2016, various companies from the security domain reported dozens of vulnerable apps to Play Store and then those were removed consequently. 

To elaborate this campaign further, we can breakdown everything into below sections,

  1. Malware versions: Technical description and the type of techniques used during framing the malware.
  2. Spread: Tactics used by the attackers to spread the malware in different app markets.
  3. Infrastructure: Details on uncovered infrastructure pieces as well as overlaps found.
  4. Victimology: Thoughts on the attackers’ interests in choosing their targets.
  5. Overlaps with previous campaigns: Details of similarities among different campaign and versions.

Malware versions:

To simplify the division, the malwares were divided into three versions based on their technical complexities. The underlying architecture and intention of the malware are similar, the main purpose is to steal sensitive information. Based on complexity and capabilities of the malware, attackers can execute below actions in victims smartphone remotely without their consent,

  • Accessing geolocation in the background
  • Fetch call logs
  • Get access to SMS to read One-time passwords remotely
  • Leaving backdoor open to install device-specific payloads at a later point of time for more exploitation.

Version 1:

This is the most simple malware in the list and was introduced to PlayStore and other app stores in 2019. In this version, the primary task was to bypass the security checks, versioning filter and Google’s official marketplace filters.

The attackers were able to bypass the filters as the source code(manifest file containing all app-specific configuration) was completely clean, there was no trace of the unnecessary grant of user permissions. Rather the attackers were smart enough to dynamically request the permissions and these were hidden inside the dex executable.

Version 2, 2.1 and 3:

As compared to the previous version, these versions are more complex in terms of technicality. Such patterns were detected in 2020, 2019 and earlier. In these versions, the AES(Advanced Encryption Standard) algorithm used in the multi-stage malicious APK creation process where the payloads were encrypted. Explanation and coding of these versions are beyond the scope of this article. 

Till now we are pretty clear that custom payloads aka ‘Malware’ need to be repacked into the existing APK file and results in a new modified and larger APK file on the go. 


Attackers are usually targeting third-party app stores for spreading malware. It is rare to find malicious apps in verified marketplaces like Google PlayStore or Amazon AppStore. It has been reported in many third-party app stores such as https://apkcombo[.]com, https://apk[.]support/, https://apkpure[.]com, https://apkpourandroid[.]com and many others. 

How to keep yourself safe?

  • Use verified AppStores to download apps.
  • Always understand the requested permissions.
  • Always read the description carefully before downloading any apps. You can easily find the developer details and information regarding developing companies.
  • Usually, the modified APK files are larger than the original version.


While analyzing the С2 server infrastructure, researchers identified multiple domains that shared similarities with previous ones but were not linked to any known malware samples. This allowed us to uncover more pieces of the attackers’ infrastructure. Here, attackers extended the expired domains to hide their real identities. And surprisingly all the domains were pointing to the same IP address hosted with DigitalOcean.


Most of the Asian countries like India, Vietnam, Bangladesh, Indonesia, Nepal, Myanmar, Malaysia, Iran and Algeria from Africa were targetted by the attackers. It is interesting to note that the victims were targeted randomly, not directly related to the attacker’s interest. Most of the victims used a third-party android app store to download apps coming under common luring categories like cleaners, updaters, plugins. One of Vietnam’s local newspaper(Tin 247 – Read Daily Newspaper”) app was injected with malware and uploaded in third-party app stores. 

Overlaps with previous campaigns:

In this section, we will look into the correlation of PhantomLance’s activity with previously reported campaigns related to the OceanLotus APT, Windows backdoor and MacOS backdoor. Researchers found a lot of similarities including patterns, techniques used to fabricate malware, the underlying infrastructure and spreading of the malware. Considering the timeline of Android campaigns, the malicious activities were conducted by OceanLotus till 2017 and PhantomLance is a successor, active since 2016.

Data privacy and internet security are two of the biggest challenges in this era of burgeoning cyber threats. To keep ourselves safe, we shall download verified applications from trusted app stores, and it is always a good practice to be aware of the permissions requested by applications. So next time if a music player trying to access your contacts, it is the time to ask questions.

Ankita Mohanty is a Software Engineer who has the passion for content creation, tech and travel. She believes in that there's nothing in this world that's unachievable when you work hard for it.