Chinese Hackers Target Uyghurs With Multiple Android Surveillance Tools

For seven years, a Chinese threat actor has targeted the Uyghur ethnic minority with several malware families, including newly identified Android surveillance tools, mobile security firm Lookout reports.

Malicious attacks focusing on Uyghurs are not new, with several of them publicly detailed over the years, targeting users of Windows PCs, Macs, and mobile devices.

Dubbed SilkBean, DoubleAgent, CarbonSteal, and GoldenEagle, the recently identified malware families appear to be part of larger mAPT (mobile advanced persistent threat) campaigns that also involved the use of HenBox, PluginPhantom, Spywaller, and DarthPusher malware families, based on overlapping infrastructure.

The attacks appear linked to previously detailed campaigns attributed to the Chinese threat actor GREF, which is also known as Playful Dragon, APT15, Vixen Panda, Ke3chang, and Mirage.

The campaigns, which likely stretch as far back as 2013, targeted Tibetans as well, but to a lesser extent. The targeting, however, is not surprising, as both communities are the focus of China’s “counter-terrorism” activity, Lookout notes in a detailed report.

The malware used in these attacks was designed to harvest and exfiltrate personal information and each of the tools aimed for a specific set of data to gather. Some of the tools were trojanized legitimate applications, maintaining the functionality of the impersonated software, but adding malicious capabilities underneath.

Surveillance apps used in this campaign have been distributed through targeted phishing and fake application portals, Lookout’s researchers say.

SilkBean has been around for at least 4 years, and apps carrying it are specifically targeted at the Uyghur community, despite in-app content in other languages. Designed with extensive surveillance capabilities and also providing attackers with remote control over the compromised machines, SilkBean apps can receive roughly 70 commands from the command and control (C&C) server.

An advanced Android remote access tool (RAT), DoubleAgent has been around since at least 2013 and has been used “exclusively against groups with contentious relationships with the Chinese government.” Samples observed in the past year show that the threat actor has continued evolving the malware and the leveraged infrastructure, despite maintaining the same targeting, Lookout points out.

Tracked since 2017, CarbonSteal shows infrastructure overlaps with HenBox, but is less sophisticated than the latter. To date, Lookout has observed more than 500 CarbonSteal samples, capable of performing audio recording, of controlling infected devices through SMS messages, and of answering phone calls from the attackers, for audio surveillance purposes.

GoldenEagle appears designed to target “primarily Uyghurs and Muslims in general, as well as Tibetans, individuals in Turkey, and in China.” The earliest identified sample is dated 2012, while the most recent is from April 2020, and the malware’s code was found in a broad range of applications, divided into two categories based on the exfiltration method: over HTTP and SMTP.

Based on the names and functionality of the trojanized apps, most of the GoldenEagle samples target the Uyghur minority: music service Sarkuy, e-commerce site Tawarim, input keyboard uyhurqa kirgvzvx, pharmaceutical app TIBBIYJAWHAR, Uyghur Quran, and others.

Campaigns associated with the mAPT were observed outside of China as well, including Turkey, Kuwait, and Syria. Overall, the threat actor targeted at least 14 different countries, including 12 that the Chinese government placed on a list of “26 Sensitive Countries.”

Related: Chinese Threat Actor Targets Uyghurs With New iOS Exploit

Related: New “HenBox” Android Malware Discovered

Related: Researchers Link Several State-Sponsored Chinese Spy Groups