Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cyberwarfare

Chinese Hackers Target Uyghurs With Multiple Android Surveillance Tools

For seven years, a Chinese threat actor has targeted the Uyghur ethnic minority with several malware families, including newly identified Android surveillance tools, mobile security firm Lookout reports.

For seven years, a Chinese threat actor has targeted the Uyghur ethnic minority with several malware families, including newly identified Android surveillance tools, mobile security firm Lookout reports.

Malicious attacks focusing on Uyghurs are not new, with several of them publicly detailed over the years, targeting users of Windows PCs, Macs, and mobile devices.

Dubbed SilkBean, DoubleAgent, CarbonSteal, and GoldenEagle, the recently identified malware families appear to be part of larger mAPT (mobile advanced persistent threat) campaigns that also involved the use of HenBox, PluginPhantom, Spywaller, and DarthPusher malware families, based on overlapping infrastructure.

The attacks appear linked to previously detailed campaigns attributed to the Chinese threat actor GREF, which is also known as Playful Dragon, APT15, Vixen Panda, Ke3chang, and Mirage.

The campaigns, which likely stretch as far back as 2013, targeted Tibetans as well, but to a lesser extent. The targeting, however, is not surprising, as both communities are the focus of China’s “counter-terrorism” activity, Lookout notes in a detailed report.

The malware used in these attacks was designed to harvest and exfiltrate personal information and each of the tools aimed for a specific set of data to gather. Some of the tools were trojanized legitimate applications, maintaining the functionality of the impersonated software, but adding malicious capabilities underneath.

Surveillance apps used in this campaign have been distributed through targeted phishing and fake application portals, Lookout’s researchers say.

SilkBean has been around for at least 4 years, and apps carrying it are specifically targeted at the Uyghur community, despite in-app content in other languages. Designed with extensive surveillance capabilities and also providing attackers with remote control over the compromised machines, SilkBean apps can receive roughly 70 commands from the command and control (C&C) server.

Advertisement. Scroll to continue reading.

An advanced Android remote access tool (RAT), DoubleAgent has been around since at least 2013 and has been used “exclusively against groups with contentious relationships with the Chinese government.” Samples observed in the past year show that the threat actor has continued evolving the malware and the leveraged infrastructure, despite maintaining the same targeting, Lookout points out.

Tracked since 2017, CarbonSteal shows infrastructure overlaps with HenBox, but is less sophisticated than the latter. To date, Lookout has observed more than 500 CarbonSteal samples, capable of performing audio recording, of controlling infected devices through SMS messages, and of answering phone calls from the attackers, for audio surveillance purposes.

GoldenEagle appears designed to target “primarily Uyghurs and Muslims in general, as well as Tibetans, individuals in Turkey, and in China.” The earliest identified sample is dated 2012, while the most recent is from April 2020, and the malware’s code was found in a broad range of applications, divided into two categories based on the exfiltration method: over HTTP and SMTP.

Based on the names and functionality of the trojanized apps, most of the GoldenEagle samples target the Uyghur minority: music service Sarkuy, e-commerce site Tawarim, input keyboard uyhurqa kirgvzvx, pharmaceutical app TIBBIYJAWHAR, Uyghur Quran, and others.

Campaigns associated with the mAPT were observed outside of China as well, including Turkey, Kuwait, and Syria. Overall, the threat actor targeted at least 14 different countries, including 12 that the Chinese government placed on a list of “26 Sensitive Countries.”

Related: Chinese Threat Actor Targets Uyghurs With New iOS Exploit

Related: New “HenBox” Android Malware Discovered

Related: Researchers Link Several State-Sponsored Chinese Spy Groups

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Learn how the LOtL threat landscape has evolved, why traditional endpoint hardening methods fall short, and how adaptive, user-aware approaches can reduce risk.

Watch Now

Join the summit to explore critical threats to public cloud infrastructure, APIs, and identity systems through discussions, case studies, and insights into emerging technologies like AI and LLMs.

Register

People on the Move

Jessica Newman has joined Sophos as General Manager of Global Cyber Insurance.

Breach and attack simulation solutions provider AttackIQ has appointed Pete Luban as Field Chief Information Security Officer.

Matthew Cowell has assumed the role of VP of Strategic Alliances at Nozomi Networks. He previously served in the same role at Dragos.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.