In the security world, fingers are pointed at China again, after researchers discovered yet more Android malware targeting Tibetan activists.
China has already been implicated in attacks on notable US firms, including the New York Times. Yesterday, Citizen Lab revealed it was alerted to a malicious Android app by a Tibetan source in January, cloaking itself as a legitimate communications app called Kakao Talk.
It appeared attackers had cloned a legitimate message sent by a security professional in Tibet to a member of the Tibetan parliament-in-exile, based in India, which included a safe Android file. Citizen Lab suggested the Indian source most likely had their email account hacked.
The cloned message containing the malicious Android app was subsequently sent to a high profile political figure in the Tibetan community.
The rogue app contained additional permissions to the legitimate Kakao Talk app, allowing it to write the target’s contacts, call history, SMS messages and cellular network configuration to an encrypted file. That file is then uploaded to the attackers’ server.
Infected phones could also have revealed their mobile area code and nearest base station, when the attackers sent SMS messages requesting the data.
The image below shows the differences in permissions between the legitimate and fake app:
Citizen Lab did not specifically state China was to blame for the specific Android threat, but it did note the Chinese government’s hard line on Tibetan activists. In particular, China has been reportedly cracking down on activism following a stark rise in self-immolation amongst Tibetans, claiming it was concerned about outside interference and encouragement.
“With official reliance on ‘evidence’ of overseas contact as a basis for conviction and crackdown, it appears that Chinese authorities are specifically targeting mobile devices in China as a perceived means of communicating and organising self-immolations,” Citizen Lab said in a blog post.
“Although we have no specific evidence linking these new restrictions to the targeted malware we found, the timing is certainly suggestive and warrants further exploration.
“The fact that the malware silently responds to the SMS with such detailed technical information on the cellular phone network and topology is both troubling and curious.
“An unsophisticated actor would have little or no use for this information if they were simply interested in exfiltrating data from the user for purposes such as fraud, spam or identity theft.
“This information is only useful to actors with access to the cellular communications provider and its technical infrastructure, such as large businesses and government. It almost certainly represents the information that a cellular service provider requires to initiate eavesdropping, often referred to as ‘trap & trace’.”
The Chinese Embassy in London had not responded to a TechWeekEurope request for comment at the time of publication.
Anti-virus software from Avast, Lookout and Kaspersky did not detect the software as malicious on two days of testing.
This is the second time in the space of seven days Android malware has been spotted targeting Tibetan activists. Kaspersky uncovered a spear phishing campaign last week, in which emails purportedly containing an app related to a human rights conference in Geneva – called the World Uyghur Congress – were used to get Android malware onto targets’ devices.
The rogue app stole contacts, call logs, text messages, location and other phone information, such as OS version and telephone numbers.
Use of mobile malware on citizens will concern onlookers, who have bemoaned government use of such surveillance. At RSA 2013 this year, TechWeekEurope heard from Tor Project contributor Jacob Appelbaum how malware could mean the difference between life and death for those activists fighting particularly repressive regimes.
Are you a security expert? Try our quiz!
Suspended prison sentence for Craig Wright for “flagrant breach” of court order, after his false…
Cash-strapped south American country agrees to sell or discontinue its national Bitcoin wallet after signing…
Google's change will allow advertisers to track customers' digital “fingerprints”, but UK data protection watchdog…
Welcome to Silicon In Focus Podcast: Tech in 2025! Join Steven Webb, UK Chief Technology…
European Commission publishes preliminary instructions to Apple on how to open up iOS to rivals,…
San Francisco jury finds Nima Momeni guilty of second-degree murder of Cash App founder Bob…