A new blog post and research report from the Lookout Threat Intelligence Team has exposed the lengths to which a reputed Chinese government-sponsored APT operation has allegedly gone to track the country’s Uyghur minority population, including the trojanization of mobile apps with surveillanceware.
Lookout details four spyware families — SilkBean, DoubleAgent, CarbonSteal and GoldenEagle — that have not previously been publicly reported (or were only minimally reported) and have been operating as far back as 2015. Moreover, the cybersecurity firm says these malware programs are connected via shared code, C2 infrastructure and signing certificates to a previously known quartet of Android surveillance tools, called HenBox, PluginPhantom, Spywaller and DarthPusher.
Lookout pins the APT activity on the reputed Chinese APT actor known as APT15, Ke3chang — also referred to as GREF, Mirage, Vixen Panda and Playful Dragon.
The APT operation reportedly has been running campaigns as far back as 2013, with the primarily goal to connect and exfiltrate personal user information in an attempt to keep tabs on Uyghurs, a Turkic-speaking ethnic group that is native to the Xinjiang region of Northern China. But Lookout says it “observed a peak in malware development beginning in 2015.”
China, under the administration of General Secretary Xi Jinping, has been condemned by many Western nations in recent years for persecuting, spying on and interning Uyghurs in camps against their will, all under the pretense of an anti-terrorism effort.
Lookout accuses China of using the surveillanceware to track Uyghurs even outside of China, as well as Tibetans, and Muslim populations around the world.
Uyghur apps that have been trojanized with the spyware include a music service called Sarkuy, a pharmaceutical app called TIBBIYJAWHAR and an e-commerce site called Tawarim. But the malware has also been found in a Turkish navigation app, a Kuwaiti radio app and a Syrian news app.
“Our research found that at least 14 different countries may be affected by the campaigns,” reports Lookout, noting that affected apps targeted not only Uyghur-speakers, but also speakers of English, Arabic, Chinese, Turkish, Pashto, Persian, Malay, Indonesian, Uzbek and Urdu/Hindi.
Lookout describes the SilkBean spyware as a “small and targeted Android surveillanceware tool” found mainly in trojanized apps “for Uyghur/Arabic focused keyboards, alphabets, and plugins.” It possesses “comprehensive RAT (remote access trojan) functionality that allows an attacker to execute over 70 different commands on an infected device,” granting the adversary “extensive surveillance and remote-control capabilities.”
The DoubleAgent malware, meanwhile, is an advanced Android RAT, early versions of which were originally discovered and disclosed by Citizen Lab, the report states.
Early DoubleAgent samples were found placed in the Voxer walkie-talkie app, the TalkBox voice messaging app and an ISIS news app, while more recent samples observed in 2019 were found “masquerading as third-party Android app stores (islamapk[.]com and yurdax[.]com) serving Uyghur-focused applications,” Lookout reveals.
Lookout has identified 15 applications whose files or databases are exfiltrated to DoubleAgent C2 servers — many of them voice and messaging apps that users rely on to communicate (e.g. WhatsApp Airetalk, Telegram and Skype).
Lookout uncovered CarbonSteal, another Android surveillanceware with an a Uyghur focus, while investigating the previously reported HenBox malware, as the two programs share numerous indicators of compromise.
According to the report, CarbonSteal has existed since at least 2017, with more than 500 observed examples. “Hallmarks of CarbonSteal include extensive audio recording functionality in a variety of codecs and audio formats, as well as the capability in later samples to control an infected device through specially crafted SMS messages,” the report states. “Attackers can also perform audio surveillance through the malware’s ability to silently answer a call from a specific phone number and allow the attacker to listen in to sounds around an infected device. Based on this functionality, we suspect that CarbonSteal might be deployed in areas with insufficient or no mobile data coverage.”
Finally, Lookout reports that GoldenEagle “targets primarily Uyghurs and Muslims in general, as well as Tibetans, individuals in Turkey, and in China,” with early test samples dating back to 2012.
The malware has been found in a very wide range of trojanized applications, including those related to e-commerce, keyboards, VPN offerings, instant messaging, social networking, adult media content and Google searches.
Lookout says malicious samples of GoldenEagle “can be divided into two major groups: those that exfiltrate data via HTTP and those that exfiltrate data via SMTP, i.e., by sending exfiltrated data in file attachments of emails to an attacker-controlled mailbox using innocuous-looking subjects and mail body content.”