Android Malware Targeting Tibetan Activists

Tom Brewster is TechWeek Europe's Security Correspondent. He has also been named BT Information Security Journalist of the Year in 2012 and 2013.

One of the first cases of Android malware used in targeted campaign

A high-profile Tibetan activist had his email hacked so attackers could propagate Android malware amongst his contacts, security researchers revealed today.

This is the first time malicious Android software has been seen targeting Tibetan activists, and one of the few occasions where malware exploiting the Google OS has been used in a targeted attack.

Android malware for targeted campaigns

Android © Palto Shutterstock 2012Spear phishing emails were sent from the prominent activist’s account less than 20 hours after it was compromised, containing an Android Package (APK) attachment.

The messages claimed to be about a human rights conference in Geneva – called the World Uyghur Congress. The Uyghur people of East Turkestan are also campaigning for independence from China.

The Android malware came in the form of an app called “WUC’s Conference.apk”, security firm Kaspersky reported, which appeared on phones as “Conference”.

Once the app is opened, the victim is presented with text talking about the supposed conference, whilst in the background the malware starts talking with a command-and-control server. It then starts siphoning off plenty of data, including contacts, call logs, text messages, location and other phone information, such as OS version and telephone number.

To retrieve the data, the attackers send an SMS with certain commands. Once received, the malware encodes the information with the freely available Java Base64 library developed by Sauron Software, before uploading it to the C&C server.

That server’s IP is located in Los Angeles, U.S.A., at a hosting company named “Emagine Concept Inc”. Kaspersky found a publicly accessible interface to interact with victims’ devices, including functions to view contacts on the phone or uninstall Trojans.

Kaspersky said the case indicated “an interesting trend which is exploiting the trust relationships between the two communities”.

“It is perhaps the first in a new wave of targeted attacks aimed at Android users. So far, the attackers relied entirely on social engineering to infect the targets,” the cmpany said in a blog post.

“History has shown us that, in time, these attacks will use zero-day vulnerabilities, exploits or a combination of techniques.

“For now, the best protection is to avoid any APK attachments that arrive on mobile phones via email.”

Malware is now a key weapon for those seeking to spy on activists, or steal their data. Last year, Kaspersky detected a persistent attack targeting those supporting human rights for the Uyghur people, hitting Mac and Windows PCs. This January, a website serving the Uyghur people was serving up an Internet Explorer vulnerability.

A number of companies are believed to be selling Android malware to governments, including British firm Gamma International and Italian organisation Hacking Team. Human rights activists have been up in arms about such software allegedly being used to spy on activists in various countries, including Bahrain and Syria.

Are you a security expert? Try our quiz!

Read also :