A new malware that is being deployed by the Chinese hacking group APT 41 monitors SMS traffic and other mobile information en masse and is being used against a telecommunications firm to target specific customer phone numbers.

The malware, called MessageTap, has been used in cyberespionage and financially motivated attacks, reported FireEye. MessageTap was first revealed earlier this year during an investigation of a telecommunication’s network provider working from a cluster of Linux Short Message Service Center (SMSC) servers. These are responsible for routing and storing SMS messages, which makes them a perfect target from which to cull sensitive data, said FireEye researchers Raymond Leong, Dan Perez and Tyler Dean said in a recent report.

FireEye said APT 41 has spotted MessageTap at one of its client telcos, additionally APT 41 has targeted four other telcos recently (although not with MessageTap), and we’ve also seen other Chinese efforts to move upstream.  

“Beyond telecommunication organizations, other client verticals that possess sensitive records related to specific individuals of interest, such as major travel services and healthcare providers, were also targeted by APT 41. “This is reflective of an evolving Chinese targeting trend focused on both upstream data and targeted surveillance,” FireEye said.

The malware itself operates in a straight-forward manner.

“MESSAGETAP is a 64-bit ELF data miner initially loaded by an installation script. Once installed, the malware checks for the existence of two files: keyword_parm.txt and parm.txt and attempts to read the configuration files every 30 seconds. If either exist, the contents are read and XOR decoded,” the research team said.

The Keyword_parm.txt file contains a list of keywords, while parm.txt contains International Mobile Subscriber Identity (IMSI) numbers and phoneMap, which contains phone numbers.

At this point MessageTap is prepared to monitor all network connections to and from the server and extract SMS message data including message content, IMSI number and the messages source and destination.

FireEye’s researchers believe this type of attack will continue going forward, forcing organizations and governments to realize the risk of sending unencrypted information into local communications networks that can be intercepted and gathered at a point far removed from the mobile device.

“This is especially critical for highly targeted individuals such as dissidents, journalists and officials that handle highly sensitive information. Appropriate safeguards such as utilizing a communication program that enforces end-to-end encryption can mitigate a degree of this risk,” FireEye concluded.