China-based surveillance campaigns are using Android malware to spy on Uighur Muslims and other ethnic minorities worldwide, according to new research from mobile cybersecurity firm Lookout.
The San Francisco-based Lookout discovered that Chinese hacker groups are using four surveillance-ware tools to harvest personal data from Android smartphones.
Get started on your cybersecurity degree at American Military University.
Named SilkBean, DoubleAgent, CarbonSteal and GoldenEagle, these related pieces of malware are previously undocumented. They’re part of larger mAPT (mobile advanced persistent threat) campaigns originating in China and stretching back as far as 2013. While they primarily target the Uighur Muslim ethnic minority, Lookout also found evidence that the campaigns target Tibetans and Muslims outside of China.
Lookout was able to link the four surveillance tools to China-linked groups by examining their signing certificates and command and control (C2) infrastructure. In all four cases, the certificates and C2 infrastructure involved are used with other pieces of malware associated with the Chinese hacker group GREF, which is also known as as APT15, Ke3chang, Mirage, Vixen Panda and Playful Dragon.
The malware collects a wide range of personal data from Android smartphones, including location data, contact information, text messages, call history, and mobile metadata (such as model name and serial number). Ominously, the CarbonSteal malware is even capable of “audio recording functionality and collection of data from chat applications popular in China.” Meanwhile, the GoldenEagle spyware can take screenshots and photos using infected devices.
According to Lookout, the spyware finds its way onto Android phones via targeted phishing and fake third-party app stores. Hidden in apps aimed at (Uighur) Muslim communities and Tibetans, the content within the sampled malware often references local services and news outlets in countries such as Turkey, Syria, Kuwait, Indonesia and Kazakhstan.
Applications containing the four pieces of malware have been found in ten different languages: Uighur, English, Arabic, Chinese, Turkish, Pashto, Persian, Malay, Indonesian, Uzbek and Urdu/Hindi.
Similarly, infected apps have targeted and been downloaded in 14 countries, 12 of which China has included on its list of “26 sensitive countries” Chinese authorities have forbidden Uighurs from having contact with. These include France, Pakistan, Saudi Arabia, Malaysia, Egypt and Iran.
It’s not known how many Uighurs, Tibetans and other ethnic minorities have downloaded apps containing the malware. Previous reports have indicated that the use of smartphone-targeted surveillance of Uighurs is extensive, with Uighur adults being forced in 2018 to download ‘nanny’ apps that scan their phones.
Amnesty International has estimated that China has detained upwards of one million Uighurs for the purposes of ‘re-education.’ At the same time, Uighurs who have emigrated to countries such as Turkey also fear that China pressures their new host nations into persecuting them.
Lookout’s latest report is another indication that China’s repression of Uighur Muslims extends far beyond Chinese borders. It should concern anyone protective of their own privacy and civil liberties, particularly when the coronavirus pandemic appears to be normalising mass surveillance in many nations.
And once again, rather than being a force for freedom, Lookout’s report shows that digital technology is all-too often the opposite.