New research suggests that China is using Android malware to spy on the country’s ethnic minority groups.
The research was published by the cybersecurity firm Lookout. According to the firm’s report, Chinese authorities are spying on Uighur Muslims and other minority groups. The firm added that the hacker group behind the spying activities are using Android malware to deliver its payloads.
Lookout reports that a group of Chinese hackers is using surveillance tools to spy on its target. The firm added that the hacking group is harvesting user data from smartphones running on the Android platform.
Android malware suite
Lookout discovered multiple pieces of malware that were used to target minorities. These malware programs are called GoldenEagle, CarbonSteal, DoubleAgent, and SilkBean. The report said that these malware programs are related but were previously unidentified.
The malware is part of what cybersecurity experts call mAPT or mobile advanced persistent threat. Most of these mAPT operations can be traced back to China and have been operating since 2013.
Researchers at @Lookout found that the Chinese hacking campaign begun as early as 2013, targeting #Uyghurs in East Turkistan, as well as in the diaspora.
“Wherever China’s Uighurs are going, however far they go, […] the malware followed them there.” https://t.co/T4goA61Rpo
— World Uyghur Congress (@UyghurCongress) July 7, 2020
Early reports confirm that these hacking operations target Uighur Muslims in China. However, more recent reports have noted that the hackers are also targeting those from neighboring Tibet. One report suggests that Muslims outside of China were also targeted by some Chinese hackers.
Lookout was able to trace down these operations back to China by examining various software certificates. The firm also checked the command and control infrastructure of these malware programs.
Lookout reported that they were able to identify the malware linked to the Chinese hacking group GREF. The hacking group also goes by the name of Ke3chang, Vixen, APT15, Mirage, Playful Dragon, and Panda.
Malware attack vector and payload
According to Lookout, the malware infects its target using various phishing and fake third-party app stores. Most of these compromised apps are designed mainly to attract Uighur Muslims and Tibetans.
Once inside its target device, the malware propagates and delivers its main payload. The malware is capable of collecting sensitive user and device information. Among these are location data, text messages, call history, contact information, and even device metadata.
Cybersecurity experts confirm that applications that use the malware are found in ten different languages. This highlights how massive the entire scope of operation of the malware and its variants.
In total, infected apps that contain malware have been downloaded in 14 different countries. The entire scope of the operation is still unknown. However, due to the sensitivity of the attack, experts warn users to be wary of this new type of Android malware.
Image courtesy of Suttipun/Shutterstock