Security Architecture, Endpoint/Device Security, Endpoint/Device Security, Threat Management, Malware, Endpoint/Device Security, Endpoint/Device Security, Endpoint/Device Security

Android malware targeting Tibetans has state-sponsored fingerprints


On the heels of an email campaign in which Tibetan activists were targeted with malicious Android applications, academic researchers in Canada have detailed how foreign spies are upping their game to stay ahead of victims.

In an analysis released Monday of another Android malware campaign targeting these same Tibetan activists, researchers at the Citizen Lab, part of the Munk School of Global Affairs at the University of Toronto, have determined that it appears to be the work of Chinese hackers, possibly with the assistance of the nation's government or a major corporation.

The research began when a Tibetan "source" tipped off the Citizen Lab by sending it a copy of an email that was the spoofed version of an actual email sent in December from an unnamed information security expert to a member of the Tibetan Parliament-in-Exile.

The legitimate December email contained an APK (Android application package file) for KakaoTalk, a mobile messaging application believed to a more secure alternative to WeChat. Large numbers of Tibetans use WeChat, but lately they have become more aware of its security weaknesses.

On Jan. 16, another email, claiming to come from the same information security expert, was sent to a "high-profile political figure in the Tibetan community." It purported to include the KakaoTalk file, but this one contained a compromised version of the application.

"Our analysis reveals that the legitimate KakaoTalk application was modified to include additional permission requests while preserving the core chat functionality and user interface of the application," Citizen Lab wrote in its report, which later added: "This incident demonstrates the capacity of attackers to rapidly adapt their techniques in response to changes in the communication methods used by targeted communities."

The permissions required by the malicious app exceed what normally would be requested for this type of program to be installed. Researchers proceeded to pick apart the malware and determined that its functionality includes the ability to purloin a user's contacts, call history, and text messages; contact a command-and-control server to obtain updated configuration information; and provide the malware authors with the victim's cellular network base station ID, tower ID, network code and mobile area code.

The latter capability most intrigued Citizen Lab researchers.

"The fact that the malware silently responds to the SMS with such detailed technical information on the cellular phone network and topology is both troubling and curious," the report said. "An unsophisticated actor would have little or no use for this information if they were simply interested in exfiltrating data from the user for purposes such as fraud, spam or identity theft. Nor can this information be easily used to place a person's physical location — the malware is not responding with a convenient longitude and latitude. Detailed knowledge of the cellular network topology and configuration would be required to determine a user's location, something unlikely to be in such an actor's possession."

That led researchers to believe the malware likely was built by a government or business that has access to a mobile network provider's core technology.

Chinese hackers have long been suspected in various malware campaigns targeting Tibetan dissidents, but this latest Android threat provides some of the most convincing evidence to date that the attacks are state sponsored.

"It almost certainly represents the information that a cellular service provider requires to initiate eavesdropping, often referred to as “trap & trace," the report said. "Actors at this level would also have access to the data required to perform radio frequency triangulation based on the signal data from multiple towers, placing the user within a small geographical area."

Researchers believe the Chinese government may be motivated to significantly ramp up their eavesdropping of Tibetan activists in light of the growing number of self-immolations, in which activists set themselves on fire in protest of Chinese oppression.

Mobile devices appear to be the main tool being used to organize these forms of protest, and Chinese authorities are seeking to crack down on the practice because it generally brings widespread attention to the Tibetan's cause.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.