Tibetan Activists Hit by Second Android Spy Malware

If you are a Tibetan activist, it looks more and more like you probably shouldn't use Androidphones. Last week, Kaspersky Labs uncovered the first Trojan virus targeting Tibetan and Uyghur activists. On Monday, another report points to state-sponsored Chinese hackers spying on Tibetans using a compromised version of a mobile messaging app and probably some help from the Chinese government.

According to a report by cybersecurity researchers at Munk School of Global Affairs at the University of Toronto, Tibetan activists are the target of an attack that steals the victim's contacts and messages as well as tracks his or her location. The modus operandi of the attack is strikingly similar to the one uncovered last week, although at the technical level at least, the two attacks can't be linked, the researchers said.

The attackers sent a Tibetan activist a phishing email, that appeared to be coming from a trusted contact, containing an Android Appication Package to install Kakao Talk, an app that lets the user send free messages over the Internet. The file, however, is not the actual Kakao Talk installer, but a compromised version of it that includes additional permission requests that open up the door for the attackers.
An attack like this, note the researchers, wouldn't work by default on any Android device, since they are set up to only install trusted applications. But Tibetan activists as well as Chinese users have access to a restricted version of Google Play app store, so they often install apps from third parties. Moreover, they may not be tech savvy enough to recognize that the malware filled app requires additional
permissions that the regular one doesn't.

Once the malicious app is installed, it starts collecting data and stores it in a .txt file in the phone. At the same time, it contacts a command and control server to upload the stolen data. The app also lets the attacker gather geolocation data by automatically responding to an SMS message containing a malicious code. This exchange isn't visible to the phone owner and happens completely unbeknownst to him.

The researchers at Citizen Lab found this last part of the attack particularly interesting. "This information is only useful to actors with access to the cellular communications provider and its technical infrastructure, such as large businesses and government," the report reads. "It almost certainly represents the information that a cellular service provider requires to initiate eavesdropping, often referred to as 'trap & trace.'"

That seems to indicate that whoever is behind the attack has the capability of combining the data mined from the phone with information from telecom companies. For the researchers that can almost exclusively mean the Chinese government is behind these attacks.

"We don’t have a smoking gun that this is the Chinese government," Citizen Lab director Ron Deibert told Forbes. "But let’s face it, when you add it all up, there’s really only one kind of organization for whom this information is useful. And we know that the Chinese have a very strong interest in tracking Tibetans, so it’s a strong set of circumstantial evidence.”

As powerful as the malware is, the researchers also note that many of the permission the app has are actually not in use. The malware doesn't gather GPS or Bluetooth related data. Bluetooth data especially could be very interesting for Chinese spies, since it would give them a way of getting information of any device in close proximity to the infected phone.

Overall, this is bad news for Tibetan activists. Kakao was being recommended as an alternative to WeChat, a Chinese app that is considered less secure. "It’s clear that Chinese authorities want to disrupt our work and make us spend time on this kind of thing rather than the work of advocacy or organizing,” Lhadon Tethong, director of the Tibet Action Institute told Forbes' Andy Greenberg. “These mobile attacks are newer. And they’re very alarming.”

Comments

Popular Posts