Experts Uncover Two Long-Running Android Spyware Campaigns Targeting Uyghurs

Nov 11, 2022Ravie Lakshmanan

Android Spyware Targeting Uyghurs

Two long-running surveillance campaigns have been found targeting the Uyghur community in China and elsewhere with Android spyware tools designed to harvest sensitive information and track their whereabouts.

This encompasses a previously undocumented malware strain called BadBazaar and updated variants of an espionage artifact dubbed MOONSHINE by researchers from the University of Toronto’s Citizen Lab in September 2019.

“Mobile surveillance tools like BadBazaar and MOONSHINE can be used to track many of the ‘pre-criminal’ activities, actions considered indicative of religious extremism or separatism by the authorities in Xinjiang,” Lookout said in a detailed write-up of the operations.

The BadBazaar campaign, according to the security firm, is said to date as far back as late 2018 and comprise 111 unique apps that masquerade as benign video players, messengers, religious apps, and even TikTok.

While these samples were distributed through Uyghur-language social media platforms and communication channels, Lookout noted it found a dictionary app named “Uyghur Lughat” on the Apple App Store that communicates with a server used by its Android counterpart to gather basic iPhone information.

The iOS app continues to be available on the App Store.

“Since BadBazaar variants often acquire their surveillance capabilities by downloading updates from their [command-and-control server], it is possible the threat actor is hoping to later update the iOS sample with similar surveillance functionality,” the researchers pointed out.

Android Spyware Targeting Uyghurs

BadBazaar, once installed, comes with several features that allow it to collect call logs, GPS locations, SMS messages, and files of interest; record phone calls; take pictures; and exfiltrate substantial device metadata.

Further analysis of BadBazaar’s infrastructure has revealed overlaps with another spyware operation aimed at the ethnic minority that came to light in July 2020 and which made use of an Android toolset called DoubleAgent.

Attacks employing MOONSHINE,

Read More ...

Researchers Find New Android Spyware Campaign Targeting Uyghur Community

Sep 06, 2022Ravie Lakshmanan

Spyware Campaign

A previously undocumented strain of Android spyware with extensive information gathering capabilities has been found disguised as a book likely designed to target the Uyghur community in China.

The malware comes under the guise of a book titled “The China Freedom Trap,” a biography written by the exiled Uyghur leader Dolkun Isa.

“In light of the ongoing conflict between the Government of the People’s Republic of China and the Uyghur community, the malware disguised as the book is a lucrative bait employed by threat actors (TAs) to spread malicious infection in the targeted community,” cybersecurity firm Cyble said in a report published Monday.

The existence of the malware samples, which come with the package name “com.emc.pdf,” was first disclosed by researchers from the MalwareHunterTeam late last month.

Spyware Campaign

Distributed outside of the official Google Play Store, the app, once installed and opened, displays a few pages of the book, including the cover page, an introduction, and a letter purportedly sent by Michael Kozak and Sam Brownback to Isa on June 15, 2018, condoling his mother’s death.

In reality, however, the malicious APK file is engineered to:

  • hide the app icon,
  • steal device and SIM information,
  • steal SMS messages, contacts and call logs,
  • identify neighboring cell information (received signal strength, Cell ID location),
  • make calls and send SMSes on behalf of victims,
  • delete SMS and call logs, and
  • take pictures from the infected device’s camera and capture its screen.

“TAs are leveraging various methods, including regional and biogeographical conflicts, to fulfill their malicious intentions,” the researchers said. “In this case, they are seen taking advantage of the Uyghur-Chinese conflict to target unsuspecting individuals.”

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.
Read More ...