Tibetan, Uyghur activists targeted with Android malware

Tibetan and Uyghur activists are once again in the cross-hairs of cybercriminals bent on espionage and tracking their movements
Tibetan and Uyghur activists are once again in the cross-hairs of cybercriminals bent on espionage and tracking their movements

The bug’s main purpose is to steal data, including contacts stored both on the phone and the SIM card, call logs, SMS messages, geo-location information, and the phone’s configuration data (phone number, OS version, phone model, SDK version). Likely originating from Chinese-speaking attackers, Kaspersky has identified the trojan as "Chuli," after a command function that shows up prior to posting stolen data to the command-and-control server.

“It appears that the attackers are somewhat familiar with the language and mountain-trekking culture of the targets – the meaning of ‘chuli’ is ‘summit,” said Kaspersky Lab researchers, in a blog post.

The attack began on March 24, 2013, when the email account of a high-profile Tibetan activist was hacked and used to send used to send spear phishing emails to a contact list of other activists and human rights advocates. The messages referred to a human rights conference event in Geneva, organized by multiple activist groups. It has been used in a number of attacks as a lure, Kaspersky said.

The attacks show other trends as well. In this case, the attackers hacked a Tibetan activist's account and used it to attack Uyghur activists. “It indicates perhaps an interesting trend which is exploiting the trust relationships between the two communities,” said the researchers. “This technique reminds us of a combination between ages-old war strategies: Divide et impera and By way of deception.”

But, notably, the malware attached to the mails was not aimed at Windows and Mac OS X platforms, as recent campaigns against the Uyghurs and Tibetan activists have been. This time the messages had an APK attachment as payload, containing a malicious backdoor trojan program for Android. Clearly, the perpetrators were banking on activists using their smartphones to pick up email.

If the attachment is clicked, an app calling itself “Conference” is installed on the handset. If the victim launches the app, he or she will see a text full of grammatical errors and purporting to offer information about the upcoming event:

On behalf of all at the Word Uyghur Congress (WUC), the Unrepresented Nations and Peoples Organization (UNPO) and the Society for Threatened Peoples (STP), Human Rights in China: Implications for East Turkestan, Tibet and Southern Mongolia

In what was an unprecedented coming-together of leading Uyghur, Mongolian, Tibetan and Chinese activists, as well as other leading international experts, we were greatly humbled by the great enthusiasm, contribution and desire from all in attendance to make this occasion something meaningful, the outcome of which produced some concrete, action-orientated solutions to our shared grievances. We are especially delighted about the platform and programme of work established in the declaration of the conference, upon which we sincerely hope will be built a strong and resolute working relationship on our shared goals for the future. With this in mind, we thoroughly look forward to working with you on these matters.

Dolkun lsa

Chairman of the Executive Committee

Word Uyghur Congress

“While the victim reads this fake message, the malware secretly reports the infection to a command-and-control server,” Kaspersky Researchers noted. “After that, it begins to harvest information stored on the device.”

The data isn’t uploaded to C&C server automatically, the researchers uncovered, but rather employs a sleeper cell tactic. The trojan waits for incoming SMS messages and checks whether these messages contain a specific command, and if it does, the malware will encode the stolen data and upload it to the C&C server.

“Until now, we haven't seen targeted attacks against mobile phones in the wild, although we've seen indications that these were in development,” the researchers said. “Every day, there are hundreds if not thousands of targeted attacks against Tibetan and Uyghur supporters. The vast majority of these target Windows machines through Word documents exploiting known vulnerabilities such as CVE-2012-0158, CVE-2010-3333 and CVE-2009-3129.”

Kaspersky also had a warning for future evolution in attack strategy: “So far, attackers relied entirely on social engineering to infect the targets. History has shown us that, in time, these attacks will use zero-day vulnerabilities, exploits or a combination of techniques.”

For now, the best protection is to avoid any APK attachments that arrive on mobile phones via email.

What’s Hot on Infosecurity Magazine?