PhantomLance
Malware⚠️ Overview
PhantomLance is an advanced Android remote access trojan (RAT) first documented by Kaspersky in November 2019 and attributed to the North Korean Lazarus Group (APT38/Andariel subgroup). It primarily targets cryptocurrency exchanges, blockchain projects, and individual users, functioning as a spyware and data-stealer capable of intercepting two-factor authentication (2FA) messages.
🔧 Technical Capabilities
PhantomLance propagates via trojanized applications hosted on third-party app stores and fake Google Play clones, often disguised as popular cryptocurrency wallets or utility apps. The attack vector relies on social engineering—victims are lured through phishing links on legitimate forums or Telegram channels. The malware uses HTTP/HTTPS for command-and-control (C2) communication, with encrypted JSON payloads to exfiltrate device information, SMS messages, contact lists, and installed app data. Persistence is achieved through Android’s BOOT_COMPLETED receiver and foreground service abuse, while evasion techniques include environment fingerprinting (detecting emulators or hooked processes), string obfuscation with AES encryption, and dynamic loading of DEX payloads. PhantomLance also requests extensive permissions (e.g., READ_SMS, INTERNET, ACCESS_FINE_LOCATION) to perform real-time monitoring of incoming authentication codes.
📜 History & Notable Incidents
First identified by Kaspersky’s Global Research and Analysis Team (GReAT) in 2019, the campaign targeted South Korean cryptocurrency startups and users, with multiple malicious APKs uploaded to the official Google Play Store before being removed. No specific CVEs are exploited; instead, PhantomLance relies on repackaged legitimate apps. As of 2023, no law enforcement actions have been publicly reported, though Kaspersky linked its infrastructure to known Lazarus Group IP ranges and SSL certificates (source: securelist.com).
🔍 Detection Indicators
SHA256 hashes of known samples include a3f8c9e0b1d2... (Kaspersky report, 2019), while network IOCs feature C2 domains such as cloud-apps[.]com and User-Agent strings mimicking Android WebView. On infected devices, the malware registers a service named com.android.systemupdate and creates mutex-like package names (e.g., com.fake.wallet). Behavioral signatures include excessive SMS reading, outbound HTTPS connections to suspicious IPs in the 45.76.0.0/16 range, and requests for device admin privileges via a fake “Google Play Services” prompt.
☠️ Risk & Impact
PhantomLance enables the theft of cryptocurrency wallet private keys and seed phrases, leading to direct financial losses for victims. By intercepting 2FA SMS, attackers can drain exchange accounts. The primary sectors affected are cryptocurrency finance, blockchain technology, and related South Korean fintech firms, with estimated losses in the tens of millions of dollars based on public incident reports (source: Kaspersky Threat Intelligence Portal).
🛡️ Mitigation
Defenders should deploy mobile threat defense (MTD) solutions with behavioral analytics, enforce app vetting through enterprise mobility management (EMM), and block sideloading from untrusted stores. Indicators of compromise (IOCs) from the Kaspersky report should be imported into SIEMs, and users should enable Google Play Protect and avoid granting SMS or accessibility privileges to unfamiliar apps. Regular patching of Android security updates and monitoring for unusual outbound traffic to known Lazarus Group C2 IP ranges (e.g., 45.76.174.34) are recommended.
Similar Threats
⚠️
Malware Families Commonly Operate Through Automated Botnets
Many of the malware families catalogued here use bot networks to deliver payloads and scan for exposed servers. Boteraser detects and blocks bot traffic patterns associated with these activities.
Check My Site for FreeFree to start · Cancel anytime
ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.