Android malware again targets Tibetans

Suspected Chinese hackers have again targeted Tibetan activists with malicious Android applications, researchers say.

According to University of Toronto's Citizen Lab, Chinese hackers launched the attacks with possible government or corporate support.

Tibetan source sent Citizen Lab the email used in the attack which was a spoofed copy of an email sent in December from an unnamed information security expert to a member of the Tibetan Parliament-in-Exile.

The legitimate email contained an APK (Android application package file) for KakaoTalk, a mobile messaging application believed to a more secure alternative to WeChat.

Large numbers of Tibetans use WeChat, but lately they have become more aware of its security weaknesses.

On 16 January, another email claiming to come from the same information security expert was sent to a high-profile political figure in the Tibetan community.

It contained a compromised version of the KakaoTalk application.

"Our analysis reveals that the legitimate KakaoTalk application was modified to include additional permission requests while preserving the core chat functionality and user interface of the application," Citizen Lab wrote in its report.

"This incident demonstrates the capacity of attackers to rapidly adapt their techniques in response to changes in the communication methods used by targeted communities."

Researchers found the malware could steal user contacts, call history, and text messages; contact a command-and-control server to obtain updated configuration information; and provide the malware authors with the victim's cellular network base station ID, tower ID, network code and mobile area code.

The latter capability most intrigued Citizen Lab researchers.

"The fact that the malware silently responds to the SMS with such detailed technical information on the cellular phone network and topology is both troubling and curious," the report said.

"An unsophisticated actor would have little or no use for this information if they were simply interested in exfiltrating data from the user for purposes such as fraud, spam or identity theft. Nor can this information be easily used to place a person's physical location — the malware is not responding with a convenient longitude and latitude. Detailed knowledge of the cellular network topology and configuration would be required to determine a user's location, something unlikely to be in such an actor's possession."

That lead researchers to argue the malware likely was built by a government or business that has access to a mobile network provider's core technology.

Chinese hackers have long been suspected in various malware campaigns targeting Tibetan dissidents, but this latest Android threat provides some of the most convincing evidence to date that the attacks are state sponsored.

"It almost certainly represents the information that a cellular service provider requires to initiate eavesdropping, often referred to as 'trap & trace', the report said.

"Actors at this level would also have access to the data required to perform radio frequency triangulation based on the signal data from multiple towers, placing the user within a small geographical area."

Researchers believe the Chinese Government may be motivated to significantly ramp up their eavesdropping of Tibetan activists in light of the growing number of self-immolations, in which activists set themselves on fire in protest of Chinese oppression.

Mobile devices appear to be a the main tool being used to organize these forms of protest, and Chinese authorities are seeking to crack down on the practice because it generally brings widespread attention to the Tibetan's cause.

This article originally appeared at scmagazineus.com