Security Experts:

Connect with us

Hi, what are you looking for?



Chinese Hackers Target Uyghurs With Multiple Android Surveillance Tools

For seven years, a Chinese threat actor has targeted the Uyghur ethnic minority with several malware families, including newly identified Android surveillance tools, mobile security firm Lookout reports.

For seven years, a Chinese threat actor has targeted the Uyghur ethnic minority with several malware families, including newly identified Android surveillance tools, mobile security firm Lookout reports.

Malicious attacks focusing on Uyghurs are not new, with several of them publicly detailed over the years, targeting users of Windows PCs, Macs, and mobile devices.

Dubbed SilkBean, DoubleAgent, CarbonSteal, and GoldenEagle, the recently identified malware families appear to be part of larger mAPT (mobile advanced persistent threat) campaigns that also involved the use of HenBox, PluginPhantom, Spywaller, and DarthPusher malware families, based on overlapping infrastructure.

The attacks appear linked to previously detailed campaigns attributed to the Chinese threat actor GREF, which is also known as Playful Dragon, APT15, Vixen Panda, Ke3chang, and Mirage.

The campaigns, which likely stretch as far back as 2013, targeted Tibetans as well, but to a lesser extent. The targeting, however, is not surprising, as both communities are the focus of China’s “counter-terrorism” activity, Lookout notes in a detailed report.

The malware used in these attacks was designed to harvest and exfiltrate personal information and each of the tools aimed for a specific set of data to gather. Some of the tools were trojanized legitimate applications, maintaining the functionality of the impersonated software, but adding malicious capabilities underneath.

Surveillance apps used in this campaign have been distributed through targeted phishing and fake application portals, Lookout’s researchers say.

SilkBean has been around for at least 4 years, and apps carrying it are specifically targeted at the Uyghur community, despite in-app content in other languages. Designed with extensive surveillance capabilities and also providing attackers with remote control over the compromised machines, SilkBean apps can receive roughly 70 commands from the command and control (C&C) server.

An advanced Android remote access tool (RAT), DoubleAgent has been around since at least 2013 and has been used “exclusively against groups with contentious relationships with the Chinese government.” Samples observed in the past year show that the threat actor has continued evolving the malware and the leveraged infrastructure, despite maintaining the same targeting, Lookout points out.

Tracked since 2017, CarbonSteal shows infrastructure overlaps with HenBox, but is less sophisticated than the latter. To date, Lookout has observed more than 500 CarbonSteal samples, capable of performing audio recording, of controlling infected devices through SMS messages, and of answering phone calls from the attackers, for audio surveillance purposes.

GoldenEagle appears designed to target “primarily Uyghurs and Muslims in general, as well as Tibetans, individuals in Turkey, and in China.” The earliest identified sample is dated 2012, while the most recent is from April 2020, and the malware’s code was found in a broad range of applications, divided into two categories based on the exfiltration method: over HTTP and SMTP.

Based on the names and functionality of the trojanized apps, most of the GoldenEagle samples target the Uyghur minority: music service Sarkuy, e-commerce site Tawarim, input keyboard uyhurqa kirgvzvx, pharmaceutical app TIBBIYJAWHAR, Uyghur Quran, and others.

Campaigns associated with the mAPT were observed outside of China as well, including Turkey, Kuwait, and Syria. Overall, the threat actor targeted at least 14 different countries, including 12 that the Chinese government placed on a list of “26 Sensitive Countries.”

Related: Chinese Threat Actor Targets Uyghurs With New iOS Exploit

Related: New “HenBox” Android Malware Discovered

Related: Researchers Link Several State-Sponsored Chinese Spy Groups

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


WASHINGTON - Cyberattacks are the most serious threat facing the United States, even more so than terrorism, according to American defense experts. Almost half...


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet

Malware & Threats

Threat actors are increasingly abusing Microsoft OneNote documents to deliver malware in both targeted and spray-and-pray campaigns.

Mobile & Wireless

Infonetics Research has shared excerpts from its Mobile Device Security Client Software market size and forecasts report, which tracks enterprise and consumer security client...


Iranian APT Moses Staff is leaking data stolen from Saudi Arabia government ministries under the recently created Abraham's Ax persona