Android Campaign from Known OceanLotus APT Group Potentially Older than Estimated, Abused Legitimate Certificate

A group of
sophisticated threat actors known as OceanLotus or PhantomLance has recently become
known for disseminating advanced Android threats via official and third-party
marketplaces since 2014. They have sought to remotely control infected devices,
steal confidential data, install applications and launch arbitrary code.

While security
researchers have recently documented the group and their campaigns, a
Bitdefender investigation has revealed 35 new malicious samples, and
evidence that the campaign may have used a legitimate and potentially
stolen digital certificate 
to sign some samples.

The modus operandi for
the APT group involved spreading tainted Android apps through Google Play and
third-party marketplaces by initially uploading a clean version and then adding

Security researchers
have linked attribution to the OceanLotus APT group to the shared
infrastructure between the Android malware and past command and control domains
used for Windows-based advanced threats that have historically targeted
Microsoft users. It is believed these older campaigns also had connections to
the Hacking Team group, which is known to have served the APT32 group.

While OceanLotus targets victims mostly from Africa and Asia, Bitdefender telemetry also indicates scans in countries such as Japan, South Korea, Vietnam, Germany and India. This threat is detected as Android.Trojan.OceanLotus by Bitdefender.

Finding Patient Zero

The oldest sample
found in the Bitdefender repository (APK MD5: 315f8e3da94920248676b095786e26ad) and associated with the OceanLotus APT group seems to have
first landed on Google Play in April 2014. Previous estimates of
the campaign’s origin date the oldest known Google Play sample to December

According to the
internal zip file timestamp, the sample was built on 2014.04.05 and
ended up in our collection just days after.

An interesting observation is that this sample is signed with a certificate belonging to VL Corporation. This certificate was generated on July 2013, and over 100 different applications on Google Play, other than OceanLotus Malware, seem to have been using it until 2014. This suggests that the cybercriminal group may have successfully smuggled tainted apps into Google Play using a valid certificate.

 Certificate:      Data:          Version: 3 (0x2)          Serial Number: 2002933886 (0x7762587e)          Signature Algorithm: sha256WithRSAEncryption          Issuer: C=VN, ST=10000, L=HN, O=VL Corporation, OU=VL Corporation, CN=VL Corporation          Validity              Not Before: Jul 22 18:57:09 2013 GMT              Not After : Jul 16 18:57:09 2038 GMT          Subject: C=VN, ST=10000, L=HN, O=VL Corporation, OU=VL Corporation, CN=VL Corporation  

It’s likely that he certificate was leaked and abused by the APT group. Currently, none of the over 100 applications that were in Google Play and signed with this certificate still have it.

Targeted Countries

In terms of telemetry, over the
past 3 months alone we have seen 25 reports involving this threat, mostly in
the US, Japan and South Korea. Granted, it’s likely that the reports in the US
may not be actual devices, but Amazon-hosted Android machines rigged
to run the samples potentially for security analysis. It’s not uncommon for
security researchers to perform this type of sandboxing, especially when trying
to pull indicators of compromise or study malicious behavior.

However, reports from South Korea and Japan do indicate at least a limited number of devices have recently encountered OceanLotus APT samples.

Android OceanLotus top 10 countries where threat was reported

Tracking the Spread

In terms of spread,
while security researchers already reported that distribution occurred through
both the official Google Play marketplace and third-party marketplaces, some
that mirror Google Play still host these samples. This means that, while Google
does a great job at timely managing their app collection and responding to
input from security researchers and vendors, third-party marketplaces remove
these threats slowly – if ever – potentially exposing users to malware,

Some examples of third-party marketplaces that still host these malicious samples include:


While there’s already a comprehensive list of samples attributed to the OceanLotus APT group, for which we know they have been in Google Play, we’ve added the following that have also been confirmed on Google Play at some point.

For the full list of additional new samples (md5) found by Bitdefender researchers and attributed to the OceanLotus APT, please check below:

3043a2038b4cb0586f5c52d44be9127d     f449cca2bc85b09e9bf4d3c4afa707b6 76265edd8c8c91ad449f9f30c02d2e0b     5d909eff600adfb5c9173305c64678e7 66d4025f4b60abdfa415ebd39dabee49     7562adab62491c021225166c7101e8a1 7b8cba0a475220cc3165a7153147aa84     63e61520febee25fb6777aaa14deeb4a 9236cf4bf1062bfc44c308c723bda7d4     f271b65fa149e0f18594dd2e831fcb30 e6363b3fae89365648b3508c414740cd     d9e860e88c22f0b779b8bacef418379e 3d4373015fd5473e0af73bdb3d65fe6a     a57bac46c5690a6896374c68aa44d7b3 08663152d9e9083d7be46eb2a16d374c     18577035b53cae69317c95ef2541ef94 eee6dcee1ab06a8fbb8dc234d2989126     5d07791f6f4d892655c3674d142fe12b f0ea1a4d81f8970b0a1f4d5c41f728d8     320e2283c8751851362b858ad5b7b49c 1fb9d7122107b3c048a4a201d0da54cd     bb12cc42243ca325a7fe27f88f5b1e1b 01b0b1418e8fee0717cf1c5f10a6086b     4acf53c532e11ea4764a8d822ade9771 6ff1c823e98e35bb7a5091ea52969c6f     1e5213e02dd6f7152f4146e14ba7aa36 3fe46408a43259e400f7088c211a16a3     c334bade6aa52db3eccf0167a591966a 53ba3286a335807e8d2df4aae0bd0977     7f59cb904e2e0548b7f0db12c08b9e25 49d1c82a6b73551743a12faec0c9e8b1     6b323840d7cb55bb5c9287fc7b137e83 2e1ed1f4a5c9149c241856fb07b8216b     6737fba0f2b3ea392f495af9a0aa0306 bda442858c33ae7d9f80227c55f6a584      

Circumventing Google Play

It’s common for attackers to
submit a clean version to Google Play, then wait a random amount of time and
simply update the application with malicious code. This tactic seems to have
been used by the cybercriminal group as well.

For example, the application net.vilakeyice.openglplugin (OpenGLPlugin) was first uploaded as clean, on August 5th 2018, and then the malicious payload was introduced on August 21st.

                APK                                 Seen on Google Play  No Payload     7285f44fa75c3c7a27bbb4870fc0cdca    2018.08.05  With Payload   d924211bef188ce4c19400eccb6754da    2018.08.21

The payload is then decrypted and loaded dynamically within the application. If older samples had the decryption key embedded locally within the original clean application, newer samples no longer store it locally, as they seem to receive the decryption key along with the malicious payload.

Attribution and Availability

While attribution for these
Android malware samples has already been the subject of analysis from the
security industry, with the OceanLotus APT group tagged as responsible, the
fact that samples still exist on third-party marketplaces should raise red

Some samples that were on
Google Play at some point are currently still available on third-party
markets, including on Amazon. In regions around the world where access to content from the
official Google Play marketplace may be restricted, users still risk infection
with this type of malware.

In this particular example with Amazon India, the developer name is Caleb Eisenhauer (a fake name) and the application seems to have been published on February 16th 2020. The email address associated with the account ([email protected]) sends to a privacy policy hosted on GitHub (

It’s likely that
similar fake developer accounts exist, all spreading various samples on
third-party marketplaces with the potential to infect victims over an extended
period of time if not removed.

*** This is a Security Bloggers Network syndicated blog from Bitdefender Labs authored by Liviu Arsene. Read the original post at: