China uses Android malware to spy on ethnic minorities worldwide, according to new research


China-based surveillance campaigns are using Android malware to spy on Muslim Uighurs and other ethnic minorities around the world, according to new research by mobile cybersecurity firm Lookout.

Lookout, based in San Francisco, discovered that Chinese hacker groups are using four surveillance tools to collect personal data from Android smartphones.

Called SilkBean, DoubleAgent, CarbonSteal, and GoldenEagle, these related pieces of malware were not previously documented. They are part of larger mAPT (Advanced Mobile Persistent Threat) campaigns originating in China and dating back to 2013. While primarily targeting the Uighur Muslim ethnic minority, Lookout also found evidence that the campaigns target Tibetans and Muslims outside of China.

Lookout was able to link the four surveillance tools to groups linked to China by examining their signature certificates and command and control infrastructure (C2). In all four cases, the certificates and C2 infrastructure involved are used with other pieces of malware associated with the Chinese GREF hacker group, which is also known as APT15, Ke3chang, Mirage, Vixen Panda, and Playful Dragon.

The malware collects a wide range of personal data from Android smartphones, including location data, contact information, text messages, call history, and mobile metadata (such as model name and serial number). Ominously, the CarbonSteal malware is even capable of “audio recording and data gathering functionality from popular Chinese chat applications.” Meanwhile, GoldenEagle spyware can take screenshots and photos using infected devices.

According to Lookout, spyware reaches Android phones through targeted phishing and fake third-party app stores. Hidden in applications targeting Muslim (Uighur) and Tibetan communities, the content within the sampled malware often references local services and media in countries such as Turkey, Syria, Kuwait, Indonesia, and Kazakhstan.

Applications containing the four pieces of malware have been found in ten different languages: Uighur, English, Arabic, Chinese, Turkish, Pashto, Persian, Malay, Indonesian, Uzbek, and Urdu / Hindi.

Similarly, infected applications have been targeted and downloaded in 14 countries, 12 of which China has included in its “26 Sensitive Countries” list. The Chinese authorities have banned the Uighurs from having contact. These include France, Pakistan, Saudi Arabia, Malaysia, Egypt, and Iran.

It is not known how many Uighurs, Tibetans and other ethnic minorities have downloaded applications that contain the malware. Previous reports have indicated that the use of Uighur surveillance targeting smartphones is extensive, and Uighur adults were forced in 2018 to download ‘babysitter’ apps that scan their phones.

Amnesty International has estimated that China has detained more than one million Uighurs for “re-education” purposes. At the same time, Uighurs who have migrated to countries like Turkey also fear that China will press their new host nations to persecute them.

Lookout’s latest report is yet another indication that China’s crackdown on Uighur Muslims extends far beyond China’s borders. Anyone who protects their own privacy and civil liberties should be concerned, particularly when the coronavirus pandemic appears to be normalizing mass surveillance in many nations.

And once again, instead of being a force for freedom, the Lookout report shows that digital technology is too often the opposite.

.