Chinese Android Spyware Targets Minority Muslim Groups

Chinese Android Spyware Targets Minority Muslim Groups

Hackers backed by the Chinese state have been using Android malware to spy on Uyghur and Tibetan minorities for seven years, according to new research from security firm Lookout.

According to Lookout's threat intelligence team, four Android monitoring tools named SilkBean, DoubleAgent, CarbonSteal, and GoldenEagle appeal to Uyghurs and, "to a lesser extent," Tibetans They were embedded in dozens of apps that would appeal to Uyghurs and, "to a lesser extent," Tibetans.

China has used these tools to collect personal information from victims in 14 predominantly Muslim countries, the lookout said. The data is sent back to command-and-control servers managed by Chinese state-sponsored hackers. [Researchers Apurva Kumar, Christoph Hebeisen, and Kristin Del Rosso wrote in a blog post, "These four interconnected malware tools are an element of a larger mAPT (Mobile Advanced Persistent Threat) campaign elements. The activity of these surveillance campaigns can be traced back to 2013."

Malicious tools were injected into legitimate apps available for download from fake app stores, including VPNs, news sites, beauty services, and social media platforms, and were also spread through phishing campaigns. (The official Google Play app store is not available in China.)

A Lookout blog post warns that these malicious tools have "unique data collection priorities and techniques."

Collectively, they can be used to access an infected device's microphone, identify targets, eavesdrop on calls, download photos, read text messages, delete files, etc.

"Many of these malware tool samples were Trojanized versions of legitimate applications, and the malware maintained the full functionality of the spoofed application in addition to its hidden malicious features," the Lookout blog post stated.

Although Uighurs were the primary target, Lookout's analysis indicates that the spyware campaign also targeted Tibetans.

"These two groups are reportedly the main focus of China's 'counterterrorism' activities," the researchers explained in the blog post.

"Sample titles and in-app features such as 'Sarkuy' (a Uyghur music service), 'TIBBIYJAWHAR' (a Uyghur pharmaceutical app), and 'Tawarim' (a Uyghur e-commerce website) indicate that most of this activity was focused on Uyghurs Uyghurs"

.

The Uyghurs, who speak a Turkic language and follow Islam, are one of the indigenous peoples of China's westernmost Xinjiang Uyghur Autonomous Region, where they have suffered government repression since Islamist and nationalist demonstrations and terrorist acts began some 20 years ago.

Just last month, Trend Micro researchers detailed an Android-based spyware campaign targeting both Uyghurs and Tibetans. This campaign was related to a multi-year iPhone-based phishing campaign that also targeted Chinese minority activists.

Lookout noted that the sample increased dramatically in 2015 after the Chinese government implemented new regulations known as the National Security Strategy Guidelines, National Security Law, and Anti-Terrorism Law as part of its "Strike Hard Against Violent Terrorism Campaign."

Researchers believe that these campaigns are also active in other parts of the world.

"Titles such as 'Turkey Navigation,' 'A2Z Kuwait FM Radio,' and 'اخبار سوريا' ('Syria(n) News') may suggest targets in Turkey, Kuwait, and Syria respectively," the blog post states.

"Ours is a very large and growing number of people.

"Our research shows that at least 14 different countries may have been affected by the campaign. Twelve of these countries are included in the Chinese government's official list of '26 sensitive countries,' which, according to official reports, is used by authorities as a basis for targeting.

These 26 countries consist of most Muslim majority countries in the Middle East, Central Asia, and Southeast Asia, as well as Russia, Nigeria, Thailand, Kenya, and South Sudan.

.

Categories