Chinese Android spyware targets minority Muslim group

china flag on a computer keyboard
(Image credit: Shutterstock)

Chinese state-sponsored hackers have been using Android malware to spy on Uyghur and Tibetan ethnic minority people for seven years, according to new research from security firm Lookout.

Lookout's threat intelligence team says four Android surveillance tools, dubbed SilkBean, DoubleAgent, CarbonSteal, and GoldenEagle, were embedded in dozens of apps that would appeal to Uyghurs and, "to a lesser extent," Tibetans.

China has been leveraging the tools to collect personal information from victims in 14 mostly majority-Muslim countries, Lookout said. The data is sent back to command-and-control servers managed by Chinese state-sponsored hackers.

“These four interconnected malware tools are elements of much larger mAPT (mobile advanced persistent threat) campaigns originating in China, and primarily targeting the Uyghur ethnic minority," said researchers Apurva Kumar, Christoph Hebeisen and Kristin Del Rosso in a blog post. "Activity of these surveillance campaigns has been observed as far back as 2013.”

Dodgy apps

The malicious tools were injected into legitimate apps, including VPNs, news websites, beauty services and social media platforms, that were available to download from fake app stores and also spread via phishing campaigns. (The official Google Play app store is not available in China.)

The Lookout blog post warned that these malicious tools have their “own unique data gathering priorities and techniques”. 

Collectively, they could be used to access the microphones of infected devices, locate targets, listen to calls, download photos, read text messages and delete files. 

“Many samples of these malware tools were Trojanized legitimate apps, i.e., the malware maintained complete functionality of the applications they were impersonating in addition to its hidden malicious capabilities,” the Lookout blog post said.

  • More: Protect your Apple computer with the best Mac VPN

Vulnerable targets 

While Uyghurs were the main focus, the Lookout analysis showed that the spyware campaign also targeted Tibetans.

“These two groups are reportedly the main focus of China’s 'counter-terrorism' activity," the researchers explained in their blog post. 

"Titles and in-app functionality of samples, such as 'Sarkuy' (Uyghur music service), 'TIBBIYJAWHAR' (Uyghur pharmaceutical app) and 'Tawarim' (Uyghur e-commerce site) show that the majority of this activity focused on Uyghurs.”

The Uyghurs, who speak a Turkic language and practice Islam, are one of the indigenous ethnic groups of China's far-west Xinjiang province. They have been subject to government repression since Islamist and nationalist demonstrations and terrorist acts began about two decades ago. 

Just last month, Trend Micro researchers detailed what may have been a separate Android-based spyware campaign targeting both Uyghurs and Tibetans. That campaign in turn was linked to a years-long iPhone-based phishing campaign that also targeted Chinese minority activists.

Lookout said its samples dramatically increased in 2015 after the Chinese government implemented new regulations known as the National Security Strategic Guidelines, the National Security Law and the Counterterrorism Law as part of its "Strike Hard Campaign Against Violent Terrorism."

The researchers believe that these campaigns are active in other regions of the world.

“Titles such as 'Turkey Navigation', 'A2Z Kuwait FM Radio', 'اخبار سوريا' ('Syria(n) News') may suggest targets in Turkey, Kuwait and Syria respectively," the blog post said. 

"Our research found that at least 14 different countries may be affected by the campaigns. 12 of these are on the Chinese government’s official list of '26 Sensitive Countries,' which according to public reporting, are used by authorities as targeting criteria.”

Those 26 countries comprise most of the majority-Muslim countries in the Middle East, Central Asia and Southeast Asia, plus Russia, Nigeria, Thailand, Kenya and South Sudan, all of which have significant Muslim populations.

Nicholas Fearn is a freelance technology journalist and copywriter from the Welsh valleys. His work has appeared in publications such as the FT, the Independent, the Daily Telegraph, The Next Web, T3, Android Central, Computer Weekly, and many others. He also happens to be a diehard Mariah Carey fan!