Day: April 28, 2020

Google’s Play Store for Android apps has never had a reputation for the strictest protections from malware. Shady adware and even banking trojans have managed over the years to repeatedly defy Google’s security checks. Now security researchers have found what appears to be a more rare form of Android abuse: state-sponsored spies who repeatedly slipped their targeted hacking tools into the Play Store and onto victims’ phones.

At a remote virtual version of its annual Security Analyst Summit, researchers from the Russian security firm Kaspersky today plan to present research about a hacking campaign they call “PhantomLance,” in which spies hid malware in the Play Store to target users in Vietnam, Bangladesh, Indonesia, and India. Unlike most of the shady apps found in Play Store malware, Kaspersky’s researchers say they found that PhantomLance’s hackers smuggled in data-stealing apps with the aim of infecting only some hundreds of users; the spy campaign likely sent links to the malicious apps to those targets via phishing emails. “In this case, the attackers used Google Play as a trusted source,” says Kaspersky researcher Alexey Firsh. “You can deliver a link to this app and the victim will trust it because it’s Google Play.”

Kaspersky says it has tied the PhantomLance campaign to the hacker group OceanLotus, also known as APT32, widely believed to be working on behalf of the Vietnamese government. That suggests the PhantomLance campaign likely mixed spying on Vietnam’s Southeast Asian neighbors with domestic surveillance of Vietnamese citizens. Security firm FireEye, for instance, has linked OceanLotus to previous operations that targeted Vietnamese dissidents and bloggers. FireEye also recently spotted the group targeting China’s Ministry of Emergency Management as well as the government of the Chinese province of Wuhan, apparently searching for information related to Covid-19.

The first hints of PhantomLance’s campaign focusing on Google Play came to light in July of last year. That’s when Russian security firm Dr. Web found a sample of spyware in Google’s app store that impersonated a downloader of graphic design software, but in fact had the capability to steal contacts, call logs, and text messages from Android phones. Kaspersky’s researchers found a similar spyware app, impersonating a browser cache cleaning tool called Browser Turbo, still active in Google Play in November of that year. (Google removed both malicious apps from Google Play after they were reported.) While the espionage capabilities of those apps was fairly basic, Firsh says that they both could have expanded. “What’s important is the ability to download new malicious payloads,” he says. “It could extend its features significantly.”

Kaspersky went on to find tens of other, similar spyware apps dating back to 2015 that Google had already removed from its Play Store, but which were still visible in archived mirrors of the app repository. Those apps appeared to have a Vietnamese focus, offering tools for finding nearby churches in Vietnam and Vietnamese-language news. In every case, Firsh says, the hackers had created a new account and even Github repositories for spoofed developers to make the apps appear legitimate and hide their tracks. In total, Firsh says, Kaspersky’s antivirus software detected the malicious apps attempting to infect around 300 of its customers phones.

In most instances, those earlier apps hid their intent better than the two that had lingered in Google Play. They were designed to be “clean” at the time of installation, and only later add all their malicious features in an update. “We think this is the main strategy for these guys,” says Firsh. In some cases, those malicious payloads also appeared to exploit “root” privileges that allowed them to override Android’s permission system, which requires apps to ask for a user’s consent before accessing data like contacts and text messages. Kaspersky says it wasn’t able to find the actual code that the apps would use to hack Android’s operating system and gain those privileges.

When a poison control center receives a call about someone who injected themselves with bleach, it’s often a tragic suicide attempt, Calello says. Occasionally, someone has a misguided idea about “cleansing” the blood, she says. “Those chemicals are just not meant to be in the human body in any way. They’re not meant to be on your skin, much less in your veins,” she says. “If you inject bleach or ammonia or any disinfectants, it automatically starts to kill the lining of your blood vessels and your blood cells and your organs.”

Household disinfectants such as Lysol work by destroying the outer layer of a virus, and they can be toxic to human cells. Wiping your hands with a disinfecting wipe won’t hurt you because it’s a dilute solution, but pouring disinfectant on your hands could cause irritation. “I think it’s important to make a distinction between what we do to clean our skin and what we do to disinfect our environment,” Calello says.

For cleaning skin, Callello continues, “The CDC (Centers for Disease Control and Prevention) recommends cleaning with soap and water, which rinses off debris and dirt.” Soap tears away the virus’s outer fatty layer gently enough that it destroys the virus without harming your skin.

What about UV light? At last Thursday’s press briefing, Bill Bryan, a senior official at the Department of Homeland Security, presented unpublished data about the effect of higher outdoor temperatures and humidity on Covid-19. That led Trump to riff in the direction of coronavirus response coordinator Dr. Deborah Birx: “Supposing we hit the body with a tremendous—whether it’s ultraviolet or just a very powerful light. And I think you said that hasn’t been checked, but you’re going to test it. Supposing you brought the light inside the body, which you can do, either through the skin or some other way. I think you said you’re going to test that too.”

UV light—particularly the shortest wavelength, known as UVC—kills viruses by damaging their DNA or RNA, crippling their ability to make copies of themselves. Hospitals have been using UVC lamps and even UVC robots to disinfect the air in rooms. But just as with disinfectants, UVC light doesn’t discriminate in what it kills. This light can also damage human cells, potentially harming the cornea, causing sunburn, and raising the risk of skin cancer, says physicist David Brenner, who is director of the Center for Radiological Research at Columbia University. That’s why hospital staff turn on the lamps only when the rooms are empty.

Theoretically, it would be possible to snake a tube with a UV light into a person’s airway, but that would be a very bad idea. “That would be damaging to all the cells inside the body,” says Brenner. And in any case, the light wouldn’t reach all areas of the lungs. “The UV light can’t go around corners,” he says. “I don’t think you’d be killing all the viruses by any means.” Any remaining viruses would simply multiply, leaving the person still trying to fight off a Covid-19 infection—but now with potential cellular damage from the UV light.

Brenner has been studying far-UVC, a wavelength that can kill viruses but can’t penetrate beyond the top layer of human skin, which is made up of dead cells. Brenner says that kind of light could be used to safely kill germs in the air, not just in hospitals, but in airports, transit stations, and other places where people gather. Still, he points out, the idea would be to use far-UVC for environmental surface decontamination, not internally to treat patients.

Read all of our coronavirus coverage here.

Medicine, of course, works differently. Antiviral drugs being designed to kill the SARS-CoV-2 virus that causes Covid-19 would target it very specifically, rather than killing a broad spectrum of microbes or endangering human cells. So far, there are no FDA-approved medical treatments for Covid-19, although drugmakers are racing to find ways to kill the novel coronavirus.