China-Linked EvilBamboo Targets Mobiles

Written by

A prolonged and ongoing cyber-espionage campaign by the threat actor known as EvilBamboo (formerly Evil Eye) has been uncovered by cybersecurity firm Volexity. This extensive operation is directed at Tibetan, Uyghur and Taiwanese individuals and organizations.

Volexity’s monitoring efforts, spanning more than five years, have tracked the evolution of EvilBamboo’s activities. In September 2019, a reconnaissance framework and customized Android malware aimed at infiltrating Uyghur and Tibetan communities were observed. 

Further, in April 2020, EvilBamboo escalated its attacks by deploying a Safari exploit to implant iOS malware into the devices of Uyghur users. The content of a new report published by Volexity last Friday includes information from several reports sent to Volexity Threat Intelligence customers in June 2023 and presented at LABScon 2023.

The advisory, written by Volexity researchers Callum Roxan, Paul Rascagneres and Thomas Lancaster, shows that EvilBamboo has been primarily targeting Taiwanese users by distributing the Android spyware BADBAZAAR through threads on a Taiwanese APK sharing forum since January 17 2023. 

These threads promote a cracked version of the Whoscall Android application, which assists in identifying spam calls and messages. The threat actor regularly updates the download link, leading victims to a Dropbox or Google Drive link.

To support the distribution of its Android spyware, EvilBamboo has created counterfeit websites designed to distribute BADSIGNAL, a compromised version of the Signal app. The threat actor has also backdoored other applications like Telegram.

Read more on compromised mobile apps: Telegram, WhatsApp Trojanized to Target Cryptocurrency Wallets

EvilBamboo utilizes Telegram groups to share the latest versions of compromised applications. These groups cater to specific apps or categories, making it easier for users to download them.

The threat actor also uses websites to load obfuscated profiling scripts, such as JMASK, which collects device information, lists Ethereum accounts and fingerprints the user’s browser. Another site shares a similar pattern with BADSOLAR and is actively promoted on Reddit and Twitter.

“Compromise of mobile devices enables the collection of large amounts of highly sensitive information about individuals, which can put them – and those close to them – at risk,” reads the Volexity advisory.

“These campaigns largely rely on users installing backdoored apps, which highlights both the importance of only installing apps from trusted authors and the lack of effective security mechanisms to stop backdoored apps making their way onto official app stores.”

What’s hot on Infosecurity Magazine?