Going Down the Spyware Rabbit Hole with SilkBean Mobile Malware

mobile spyware

An Android spyware attack was recently discovered that targeted the Uyghur ethnic minority group – since 2013.

In this in-depth Threatpost podcast Christoph Hebeisen, who leads the Security Intelligence Research Division at Lookout, shares a behind-the-scenes look at how his team discovered and tracked three never-before-seen surveillanceware tools, dubbed SilkBean, GoldenEagle and CarbonSteal.

Hebeisen walks listeners through what these new tools are and how they were used in a seven-year long surveillanceware campaign against the Uyghur ethnic minority group. Also discussed are the threat actor’s methods and procedures and why the mobile landscape is becoming a popular targets for advanced persistent threat actors.

Listen to the podcast below or download direct here.

Below find a lightly edited transcript of this podcast.

Lindsey O’Donnell-Welch: Hi all this is Lindsey O’Donnell-Welch with Threatpost and I’m here today talking with Christoph Hebeisen with Lookout about a new surveillance campaign that Lookout researchers recently uncovered earlier in July. So just for some background, Christoph leads the Security Intelligence Research Division at lookout. And in this role, he oversees the company’s suite of research activities like covering malware, device compromises, network threats, phishing and threat intelligence services. So, Christoph, thanks so much for joining us today. How are you doing?

Christoph Hebeisen: I’m doing fine. Thank you.

LO: Good. Well, we really appreciate you coming onto the show today and talking about this new surveillanceware campaign. So Lookout discovered it uses kind of a slew of Android surveillance software tools to spy on an ethnic minority group called the Uyghurs. And this campaign was only disclosed last week, but it goes all the way back to 2013. So tell us a little bit about the story behind the scenes here from the perspective of Lookout’s research team, what was kind of the process of uncovering this campaign and really getting into it and analyzing it. And you know, when did it really first appear on your radar?

CH: Yeah, this this is actually a very fascinating story, because we found various pieces of surveillanceware over time, but we didn’t initially realize that they were all connected, and were all coming from the same actor. We have certainly been tracking this since 2015. We have samples in our database that, as you said, go back to 2013 and actually all the way back to 2012. But we think that those are probably test samples. So we pegged the start of the actual campaign to 2013. There’s a little bit of fuzziness in that.

The campaign really started to take shape in our view of all of this in late 2019, when we were looking into the SilkBean family in particular, when we started looking deep into the infrastructure involved in SilkBean, we found many connections to the other malware families involved in this and this whole web of interconnections started to unravel. And that is when the campaign took shape for us. That said, the malware families individually we had known about for a long time, we hadn’t talked about them publicly, because it wasn’t such an interesting story while they were all standing in isolation.

LO: No, that’s really interesting too. And I know that there have been a couple of different spyware, Android tools that were wrapped up in this as well. So how did the campaign really evolve over time?

CH: So as I already mentioned, the earliest samples started showing up in 2012, and we believe that, that the production samples that were actually used in the campaign are from 2013. The same year in 2013, Citizen Lab actually reported on a single malware family sample being used against the Tibetan government in exile. And we later connected that sample to the DoubleAgent family, so we know there was activity there. At that time, we saw a great spike in activity actually in 2015, 2016, which kind of aligned with a new national security law that China issued at the time, and also what they called an anti-terrorism campaign that got started in 2014. So that’s an interesting correlation to see there.

It appears that recently as of late 2019 or early 2020, the command and control server started disappearing and shutting down, but we are still observing some activity especially in the GoldenEagle family with some new samples showing up. So it seems that certainly the campaign was active at least until early this year and might still be active now. But we can’t say with certainty.

LO: Right. And then can you talk a little bit about the actual tools that you uncovered as part of this campaign, I know that three of those were actually never before seen. And Lookout called those SilkBean, GoldenEagle and Carbon Steal. And then there was a fourth tool that had been previously discovered that was called DoubleAgent. And so it sounded like the tools kind of were all related in that they had you know, capabilities of gathering and exfiltrating personal user data to attacker operated C2 servers, but what made each of them unique and kind of what stuck out to you about each one?

CH: So I’ll start on on SilkBean because that’s the one from which we unraveled the the entire web of surveillanceware. SilkBean is, I would characterize it as a surveillanceware because I know that is the goal of what is happening with this malware. But it could also be characterized as a remote access Trojan or RAT for short. So it essentially queries a command and control server at regular intervals, asked for a command or a series of commands that it will then execute and report back the result of of that command. That’s as opposed to kind of classic surveillanceware, which will monitor certain things and just regularly report them to the command and control server. So this gives the attacker to a degree a little more control over what is happening on the victim’s device.

In Carbon Steal, I would say is is one of the most interesting surveillancewares in this set, in that it can actually operate entirely without having internet access. It can take both its commands and also exfiltrate the information that it collects via SMS and it also will accept phone calls from a certain predefined number, answer that call without ever ringing and then basically provide an open mic in the room where the device is sitting until the attacker hangs up the phone on on their end. And after that the malware will delete this call from the call record of the device so that the target never knows this actually happened. Golden Eagle I think is mostly interesting for how long it has been around, it’s the malware family from which we have the earliest sample and as I mentioned earlier, we are still seeing new samples for that one coming in. So the sheer persistence of that one is, is really impressive.

LO: Now, just before we wrap up, I wanted to ask you about the APT mobile landscape in general, and, you know, the mobile threat landscape, because clearly, this is a constantly evolving environment. And it’s just so interesting. There’s so much happening with it. So can you talk a little bit about how, what the top trends are that you’re seeing in terms of mobile spyware that’s being deployed, and how this landscape really is evolving and what to look out for in the future.

CH: So, you have already mentioned that, that we see much happening in this in this space at the moment and that is that is definitely reflected in what we are seeing. Most recently I think publicly Amnesty International reported various attacks in in Morocco on on activists and journalists and I think lawyers there. We have certainly recently seen attacks in many countries. We have seen campaigns in countries such as Italy, Russia, Pakistan, India, and and many others, that seemed to indicate that trend.

Also, there was the case of Jamal Khashoggi, who is alleged to have been targeted by surveillanceware by Saudi Arabia before he was murdered.

So, there certainly seems to be an uptick in the use of mobile surveillanceware by state actors and state sponsored campaigns, so certainly, certainly there is that visibility. And what we are also seeing is that there’s a wide variety in the sophistication of those attacks. So when we are looking at campaigns in Morocco, where potentially zero click or at most one click attacks were used both in campaigns like the one that we saw in China where the malware is app based and requires the user to install an app. And I think that really indicates how the attackers use surveillanceware of complexity that is appropriate for the for the situation, if appropriate as the right word for for that.

LO: Yeah, well, it’s definitely a lot there that we’ll be keeping our eyes on in the coming months. Christoph, thank you so much for coming on and talking to us about Lookout’s research on spyware and some of the trends we’re seeing.

CH: Thank you so much for having me on your show.

LO: And thanks to all our listeners. If you have any comments or thoughts feel free to comment on our Twitter page, @Threatpost. And catch us on the next episode of our show.

Check out our podcast microsite, where we go beyond the headlines on the latest news.

Suggested articles

biggest headlines 2020

The 5 Most-Wanted Threatpost Stories of 2020

A look back at what was hot with readers — offering a snapshot of the security stories that were most top-of-mind for security professionals and consumers throughout the year.