Researchers at Kaspersky have discovered a mobile spyware campaign they attribute to the Vietnam-linked OceanLotus group. The campaign involves multiple versions of a malware family they dubbed 'PhantomLance', some of which were previously analysed, under different names, by Doctor Web and Cylance. Several of the malware instances were found on Google Play, disguised as legitimate apps. The malware is capable of stealing SMS, call and contact data, as well as installing further payloads.
Kaspersky does not say who was targeted by this campaign, but noted that victims were found in various countries in Asia in Africa. OceanLotus, also referred to as APT32, has previously engaged in economic espionage, government espionage but also in attacks against civil society. Both the Electronic Frontier Foundation (EFF) and Google have reported on the group's targeting of journalists, activists and dissidents in Vietnam. The use of a Vietnamese church locator app as a lure may suggest a targeting of Christians in Vietnam, a minority sometimes seen as a threat by the government.
The fact that some PhantomLance samples were found on Google Play is a particular concern. Not allowing the installation of apps from third-party app stores is an effective way to keep most malware at bay and is strongly recommended, especially for high risk groups such as journalists and human rights defenders. Google Play does a much better job than third party app stores at detecting and removing malware, but it is certainly not perfect, the PhantomLance samples show.
And this is where Android differs from iOS, the operating system on Apple's iPhones. The manual process involved in getting apps added to the latter's App Store makes malware extremely rare. On top of that, without 'jailbreaking' an iPhone or using a mobile device management system, one cannot install third-party apps.
Vulnerabilities in mobile software and the market surrounding them are getting a lot of attention these days and it is believed that when it comes to those, iPhones and high-end Android phones are more or less on par. However, Android phones provide more opportunities for users to unwittingly install malware and this makes them
However, this is only one side of the story. Apple's strict control of the iPhone ecosystem has led it to remove VPN apps from the Chinese App Store at the request of the Chinese government, which considers such apps malware. Google Play, like all of Google services, is banned in China and in some other countries, but Android phones are widely used and their users can at least install VPN apps from third party stores.
Ultimately, high-risk users need to make an informed decision about what phone best suits their particular threat model. In doing so, they should not ignore the risk of unwittingly installing malware themselves. Of course, for many such users price is an important and often defining factor. Android phones are available for much less than the cheapest iPhones, but these cheaper phones are often much less secure. Claudio Guarnieri (‘nex’) has previously written about this ‘economic inequality’ of mobile security.
For those worried about possible malware infections on their existing phones, the Civilsphere Lab can help: our free Emergency VPN service let us analyse your network traffic for a few days to detect possible malware infections or data leakage.