Malware used to spy on Tibetan activists and other ethnic groups in China is nothing new. But a new Trojan discovered by researchers at Kaspersky Labs has widened the scope of this digital espionage and intimidation. The malware uses a combination of e-mail hacking, "spear phishing," and a Trojan built specifically for Android smartphones. Kaspersky claims this is the first discovery of a targeted attack that uses mobile phone malware.
On March 25, the e-mail account of a Tibetan activist was hacked and then used to distribute Android malware to the activist's contact list. The e-mail's lure was a statement on the recent conference organized by the World Uyghur Congress that brought together Chinese democracy activists and Tibet, Southern Mongolia, and East Turkestan human rights activists. The e-mail claimed to have an attachment that was a joint letter from WUC, the Unrepresented Nations and Peoples Organization, and the Society for Threatened Peoples. If the targets opened the attachment, however, they received malware packaged in an Android APK file.
When opened, the Trojan installs an app called "Conference" on the Android devices' desktops. If the app is launched, it displays a fake message from the chairman of the WUC—while sending back a message to a command and control server to report its successful installation. The malware provides a backdoor to the device via SMS messages sent by the server. On command, it returns the phone's contact lists, call logs, data about the smartphone, its geo-location data, and any SMS messages stored on it to a server via a Web POST upload.
The server itself is running on a Chinese-language configured Windows Server 2003 machine sitting in a data center in Los Angeles. In addition to providing an upload point for the data stolen from Android devices, it also hosts more Android malware in its home page and provides a public Web interface (in Chinese) that allows direct control over phones that have been infected with the malware. While the server itself is at an IP address registered to a company called Emagine Concept, a domain pointed at the machine is registered to Shanghai Meicheng Technology Information Development Co., Ltd., a Chinese company with a contact in Beijing.