Malware Arsenal Targets Tibetan Activists

Tibetan activists in China as well as those living in exile around the world are being targeted by dangerous malware that not only steals data from infected computers, but also has graduated to reporting location data from mobile devices for surveillance purposes.

Tibetan activists in China as well as those living in exile around the world are being targeted by dangerous malware that not only steals data from infected computers, but also has graduated to reporting location data from mobile devices for surveillance purposes.

In addition, a grassroots campaign teaching Tibetan activists to move away from communicating using email attachments may have led to a recent spike in watering hole attacks targeting websites frequented by the Uyghur and other Tibetan national groups.

The campaign called Detach from Attachments is part of an ongoing effort by the Tibet Action Institute to educate oppressed people about how to safely communicate using technology and the Internet to organize non-violent demonstrations and protests.

“The campaign took off in the Tibetan community and many now do not use attachments when they communicate,” said Ronald Deibert, director of Citizen Lab, Munk School of Global Affairs at the University of Toronto. “An interesting consequence is that after they mounted this campaign, attackers switched tactics. Now we’ve seen watering hole attacks become more common, compromising sites and users with unpatched browsers.”

These attacks are now growing on mobile platforms. Recently, researchers at Kaspersky Lab found the first targeted attacks using Android malware. This week, Citizen Lab reported another strain of Android malware targeting Tibetans that reports location information to the attacker, likely for surveillance. Researchers say the attacks against the activists originate in China.

“When we reverse-engineered the malware and looked at the permission sets, among them was information sent back about cell phone tower information,” Deibert said. “This would only be useful to someone who would be able to correlate that information with the data on the towers themselves, otherwise a private company or a government who has access to the private company running the towers. This is not the type of thing we would normally see if the intent of the malware was more criminal than political. This is the first step in monitoring someone’s location in terms of tower triangulation.”

Experts say the Chinese want to impede the Tibetan activists’ ability to communicate and coordinate non-violent demonstrations and protests. Tibet has been fighting China for its independence since the 1950s when the Dalai Lama and the Tibetan government were forced into exile. Their reported use of watering hole attacks and malware attacks against mobile devices has extended now from simple monitoring of communication to location data.

“It’s not surprising to us that the capability is there,” said Lhadon Tethong, director of the Tibet Action Institute. “Of course what’s disturbing and alarming is that the authorities would be interested in getting [Tibetans] to install this kind of surveillance tool ourselves on our own phones. It doesn’t take much to track people. It’s alarming, but not all surprising or new for us.”

The Android attack discovered by Kaspersky Lab was initiated via a phishing email sent from the compromised account of a well-known Tibetan activist. The emails were sent to the activist’s contact list with a message about the World Uyghur Congress human rights conference and also containing an infected Android application package file (.APK). Once the victim opens and executes the supposed Android application, the malware collects information on the phone and sends it to a command and control server once an incoming SMS message is received containing a particular command.

The malware obtained in January by Citizen Lab also contained a malicious APK attachment, this one for a mobile messaging application developed in South Korea called Kakao Talk. Kakao Talk has become an alternative to a similar app built in China called WeChat that experts say comes pre-installed with spyware.

Deibert said that in December, a security expert sent a member of the Tibetan parliament living in exile a legitimate version of Kakao Talk as an email attachment—Tibetan Android users do not have access to Google Play and often share APK files in order to get apps onto their devices. One month later, a similar email went out from the same expert’s account, which had by then been compromised. The same text was used as the December message, but the Kakao Talk APK had been modified to include data-gathering capabilities including location data. The malware added a number of permissions to the app, including access to network information, location data, read and write permission for SMS and MMS message and other configuration data. Attackers could now read and write contact data, read and send SMS and manage accounts on the phone.

The malware would encrypt contact data, call history, SMS logs and cellular network configuration to an encrypted file. It would contact a command and control server called android[.]Uyghur[.]dnsd[.]me for more configuration information. It would also read SMS messages and if the message contained certain code, it would reply with base station ID, tower ID, mobile network code and mobile area code information for the victim’s Android device.

“This is the first targeted Android malware we’ve come across in our study group,” Deibert said. Citizen Lab did some of the early research into Gh0stNet and other APT-style targeted campaigns.

Nathan Freitas, director of technology for Tibet Action Institute and the institute’s mobile security initiative Guardian Project, acknowledged that while this might be the first such incursion on Android, surveillance via technology has been happening on other platforms for some time.

“This is a lazy way of doing it. China does it via their infrastructure if they know your SIM card,” Freitas said. “It’s normal; in China they are able to go farther with it because there isn’t a strong rule of law against it. In a sense, this is like FinFisher where it’s too hard to go to the phone company and deal with them so they make an app. It’s easier. They don’t need the cooperation of the telecoms, that’s the scary aspect.”

Tibetan human rights sites were also reportedly targets of watering hole attacks as recently as January. Watering hole attacks are espionage campaigns where malware is implanted onto a vulnerable website frequented by individuals with a common interest. The website malware, usually a Java or Flash exploit, generally will silently redirect the user to a website controlled by the attacker where more malware is installed. In many cases, the malware collects data from the user’s computer and in some cases conducts surveillance on the target by manipulating the microphone or webcam built into their machines.

Recent attacks targeting the Uyghur in particular used the World Uyghur Congress as bait. Attackers were using a recently discovered Java sandbox exploit to infect users with exploits against the same vulnerability targeted by the MiniDuke espionage campaign. Infected PDF documents were spreading a remote access Trojan that would give an attacker unfettered access to a victim’s machine, allowing them to steal data and upload additional malware. While MiniDuke targeted government offices in Europe, these attacks were focused on the Uyghur and other Tibetan activists.

In mid-February, a spear phishing campaign was spotted targeting the group with malicious Microsoft Word documents that exploited a buffer overflow vulnerability discovered and patched in 2009. Attacks against Mac OS X users were also detected last summer that would give attackers remote control of Mac computers in order to access and steal files.

Suggested articles