This has repercussions that extend beyond the threats of normal malware, the group noted, because of the location detection possibilities inherent in cellular network information.
A malicious email message repurposed from a legitimate private email message sent by an information security expert in the Tibetan community to a member of the Tibetan parliament-in-exile began the latest attack. Clearly a spyware gambit, Citizen Lab noted that the malware was designed to send a user’s contacts, SMS message history, and cellular network location to attackers.
“The cellular network information gathered by this malware would only be useful to actors with detailed knowledge of the cellular communication provider’s technical infrastructure,” said Citizen Lab. It added, “The fact that the malware silently responds to the SMS with such detailed technical information on the cellular phone network and topology is both troubling and curious.”
An unsophisticated actor would have little or no use for this information if they were simply interested in exfiltrating data from the user for purposes such as fraud, spam or identity theft, Citizen Lab reasoned. Further, in order to make such information useful for location targeting, the actor would need “detailed knowledge of the cellular network topology and configuration.
So, the conclusion is that the information is only useful to actors with access to the cellular communications provider and its technical infrastructure – a requirement that points directly at either a very large enterprise or, more likely, a government.
“It almost certainly represents the information that a cellular service provider requires to initiate eavesdropping, often referred to as ‘trap & trace',” Citizen Lab noted. “Actors at this level would also have access to the data required to perform radio frequency triangulation based on the signal data from multiple towers, placing the user within a small geographical area.”
The attack’s social engineering indicates a high level of familiarity with the activist community as well. The weaponized Android app masquerades as a legitimate chat and photo-sharing service called Kakao Talk, Citizen Lab explained: “Members of the Tibetan community have used Kakao Talk and other applications as alternatives to WeChat (a chat client rapidly rising in popularity) after concerns were raised regarding that application’s general security and the potential for Tencent (the Chinese company that provides the application) to monitor users at the behest of the Chinese government.”
In this case, the Kakao Talk application was modified to include additional permission requests while preserving the core chat functionality and user interface of the application. In order for the malware to be installed, the user must permit applications to be installed from sources other than the Google Play store.
“This permission is not enabled by default in Android,” Citizen Lab noted. “However, as many members of the Tibetan community (particularly those inside Tibetan areas) have access to the Google Play service restricted, they are required to permit applications to be installed from outside sources, and circulating APKs [Android application package files] outside of Google Play is common.”
Users may be duped into accepting these permissions by assuming they are required for the regular functionality of the application or by not reviewing them carefully before approving.
The attack is similar in scope and nature to the late March attack uncovered by researchers at security firm Kaspersky. The company reported the compromise of an email account of a high-profile Tibetan activist, which was used by attackers to send targeted malware to the activist’s contact list. The targeted attacks leveraged email content about the World Uyghur Congress and included a malicious APK file purporting to be an app with information on the event. That malware allowed attackers to collect data from infected devices including contacts, call logs, SMS messages, geo-location, and phone data (phone number, OS version, phone model, SDK version).
“The attack we analyzed and the malware reported by Kaspersky are not technically related,” Citizen Lab said. “The malware binaries and command and control infrastructure are different and there is no clear indication from technical comparison of the two samples that the attacks were conducted by the same attacker(s). However, both attacks leveraged compromised email accounts of high-profile members of the Tibetan community and also included reference to the Uyghur community.”
In a not-so-oblique reference to who it thinks may be behind the attacks, Citizen Lab added, “Notably, authorities in China have also targeted use of the ‘Internet, mobile phones and digital storage devices’ by Uyghurs in the government’s campaign against the ‘three evils’ of terrorism, separatism and extremism. These similarities are inconclusive, but suggest that mobile malware campaigns against these communities are likely to continue.”