China Implicated As More Android Malware Targets Tibetans

In the security world, fingers are pointed at China again, after researchers discovered yet more Android malware targeting Tibetan activists.

China has already been implicated in attacks on notable US firms, including the New York Times. Yesterday, Citizen Lab revealed it was alerted to a malicious Android app by a Tibetan source in January, cloaking itself as a legitimate communications app called Kakao Talk.

It appeared attackers had cloned a legitimate message sent by a security professional in Tibet to a member of the Tibetan parliament-in-exile, based in India, which included a safe Android file. Citizen Lab suggested the Indian source most likely had their email account hacked.

Android malware threats

The cloned message containing the malicious Android app was subsequently sent  to a high profile political figure in the Tibetan community.

The rogue app contained additional permissions to the legitimate Kakao Talk app, allowing it to write the target’s contacts, call history, SMS messages and cellular network configuration to an encrypted file. That file is then uploaded to the attackers’ server.

Infected phones could also have revealed their mobile area code and nearest base station, when the attackers sent SMS messages requesting the data.

The image below shows the differences in permissions between the legitimate and fake app:

Citizen Lab did not specifically state China was to blame for the specific Android threat, but it did note the Chinese government’s hard line on Tibetan activists. In particular, China has been reportedly cracking down on activism following a stark rise in self-immolation amongst Tibetans, claiming it was concerned about outside interference and encouragement.

“With official reliance on ‘evidence’ of overseas contact as a basis for conviction and crackdown, it appears that Chinese authorities are specifically targeting mobile devices in China as a perceived means of communicating and organising self-immolations,” Citizen Lab said in a blog post.

“Although we have no specific evidence linking these new restrictions to the targeted malware we found, the timing is certainly suggestive and warrants further exploration.

“The fact that the malware silently responds to the SMS with such detailed technical information on the cellular phone network and topology is both troubling and curious.

“An unsophisticated actor would have little or no use for this information if they were simply interested in exfiltrating data from the user for purposes such as fraud, spam or identity theft.

“This information is only useful to actors with access to the cellular communications provider and its technical infrastructure, such as large businesses and government. It almost certainly represents the information that a cellular service provider requires to initiate eavesdropping, often referred to as ‘trap & trace’.”

The Chinese Embassy in London had not responded to a TechWeekEurope request for comment at the time of publication.

Anti-virus software from Avast, Lookout and Kaspersky did not detect the software as malicious on two days of testing.

This is the second time in the space of seven days Android malware has been spotted targeting Tibetan activists. Kaspersky uncovered a spear phishing campaign last week, in which emails purportedly containing an app related to a human rights conference in Geneva – called the World Uyghur Congress – were used to get Android malware onto targets’ devices.

The rogue app stole contacts, call logs, text messages, location and other phone information, such as OS version and telephone numbers.

Use of mobile malware on citizens will concern onlookers, who have bemoaned government use of such surveillance. At RSA 2013 this year, TechWeekEurope heard from Tor Project contributor Jacob Appelbaum how malware could mean the difference between life and death for those activists fighting particularly repressive regimes.

Are you a security expert? Try our quiz!