Cyble-Malware-Spyware-Campaign-Targeting-Uyghur-Community-China
During our routine threat hunting exercise, Cyble Research & Intelligence Labs (CRIL) came across a Twitter post wherein security researchers shared information about an Android malware purportedly designed to target the Uyghur community, a Turkic ethnic group originating from Central and East Asia, under the guise of the book The China Freedom Trap.
“The China Freedom Trap” is a personal and political account of the president of the Uyghur Congress, Dolkun Isa, which details his experiences and struggles in fighting crimes against Uyghurs, currently recognized as one of the 55 officially recognized ethnic minorities.
In light of the ongoing conflict between the Government of the People’s Republic of China and the Uyghur community, the malware disguised as the book is a lucrative bait employed by threat actors (TAs) to spread malicious infection in the targeted community.
Upon performing behavioral analysis, we observed that this malware has an icon similar to the cover page of the book known as The China Freedom Trap written by Dolkun Isa, and on opening the app, the user is shown a few pages of the book including the cover page, an introduction to the book and its author, along with a condolence letter at the end.
We identified several sophisticated features that the malicious app leverages to steal device information, SMSes, Contacts data, call logs, and neighboring cell information. Among other features, the malicious app can also capture the device screen and take pictures from the device’s camera, etc.
Figure 1 shows the metadata information of the application.
The malware requests 27 different permissions from the user, of which, it abuses at least 13. These dangerous permissions are listed below.
| Permissions | Description |
| ACCESS_NETWORK_STATE | Allows the app to view information about network connections |
| READ_PHONE_STATE | Allows access to phone state, including the current cellular network information, the phone number and the serial number of this phone, the status of any ongoing calls, and a list of any Phone Accounts registered on the device |
| READ_SMS | Access phone messages |
| WRITE_SMS | Allows the app to modify or delete SMS |
| READ_CONTACTS | Access phone contacts |
| PROCESS_OUTGOING_CALLS | Allows the app to process outgoing calls and modify the dialing number |
| WRITE_EXTERNAL_STORAGE | Allows the app to write or delete files to the external storage of the device |
| READ_CALL_LOG | Access phone call logs |
| RECORD_AUDIO | Allows the app to record audio with the microphone, which can be misused by attackers |
| ACCESS_COARSE_LOCATION | Allows the app to get the approximate location of the device network sources such as cell towers and Wi-Fi |
| ACCESS_FINE_LOCATION | Allows the app to get the precise location of the device using the Global Positioning System (GPS) |
| GET_ACCOUNTS | Allows the app to get the list of accounts used by the phone |
| READ_HISTORY_BOOKMARKS | Allows the app to read the Browser’s history and bookmarks |
Our static analysis indicated that the malware steals information from the infected devices based on the commands received from the TA’s Command and Control (C&C) server.
While launching the application for the first time, the malware checks the android device SDK version. If the version is below 29, the malware hides its icon from the device screen and runs silently in the background. The code snippet below is used to hide the app’s icon.
If the Android device version is more than 29, it opens the rd.pdf file present in the APK resources.
The file rd.pdf contains the cover page, the introduction of the book and the author, and a condolence letter, as shown in figures 4 and 5.
After execution, the malware checks for internet connectivity in the device and fetches information, such as Wi-Fi, DHCP, etc.
The image below contains the code through which the malware can get phone information such as network operator details and device location from GSM or CDMA connection. Most importantly, the malware has a code that can fetch the neighboring cell information, including Received Signal Strength and Cell ID location.
The malware also reads the phone information including the SIM’s IMEI, serial number, sim operator information, etc., as shown in the figure below.
The code snippet below depicts the malware’s ability to get the details of the running processes in the device.
The malware uses the code below to collect the victim’s SMS data. Attackers can use stolen SMS data to perform various malicious activities such as stealing contact details, bypassing two-factor authentication, etc.
Through the code showcased below, the spyware collects the contact information saved on the victim’s device. After collecting the contact data, TAs can further extend their target or execute various malicious campaigns on those contacts.
The code snippet below shows the malware’s capability to collect call logs from the victim’s device.
The malicious app can also make outgoing calls from the victim device without the user’s knowledge, as shown in the figure below.
Through the spyware, TAs can send SMSes to other numbers with SMS content provided from the C&C server. TAs can use this feature to send spam messages or extend their campaign by sending malicious links.
The code snippet shown below is used by the malware to delete SMSes and call logs from the victim device.
Furthermore, the malware captures the screen of the victim device and sends it to the TA’s C&C server.
The code below is used by the malware to check if the camera is present in the device. In cases where the camera is available, this code enables the malware to take pictures and upload them to the TA’s C&C server.
The malware connects to the TA’s server to receive commands and send data from the victim’s device.
TAs are leveraging various methods, including regional and biogeographical conflicts, to fulfill their malicious intents. In this case, they are seen taking advantage of the Uyghur–Chinese conflict to target unsuspecting individuals.
According to our research, this type of malware is only distributed via sources other than Google Play Store. As a result, practicing basic cyber hygiene across mobile devices and online banking applications is a good way to prevent such malware from compromising your devices.
We have listed some essential cybersecurity best practices that create the first line of control against attackers. We recommend that our readers follow the best practices given below:
| Tactic | Technique ID | Technique Name |
| Initial Access | T1476 | Deliver Malicious App via Other Mean. |
| Initial Access | T1444 | Masquerade as Legitimate Application |
| Execution | T1575 | Native Code |
| Collection | T1636.004 T1636.003 T1636.002 T1513 | Capture SMS Messages Capture Contact List Capture Call Logs Capture Screen |
| Command and Control | T1436 | Commonly Used Port |
| Indicators | Indicator Type | Description |
| a38e8d70855412b7ece6de603b35ad63 | MD5 | Malicious APK |
| 92118623c417c7b9c46b99ae71424198327698a8 | SHA1 | Malicious APK |
| fd99acc504649e8e42687481abbceb71c730f0ab032357d4dc1e95a6ef8bb7ca | SHA256 | Malicious APK |
| blackbeekey.com | URL | C&C URL |
Dark web intelligence helps organizations detect stolen credentials, leaked data, and cyber threats early, enabling…
ACSC, NCSC, and CERT Tonga warn of growing INC Ransom activity targeting healthcare and organizations…
Cyble has identified a new Linux threat named ClipXDaemon that targets cryptocurrency users by intercepting…
Middle East faces unprecedented hybrid warfare as Iran, US, and Israel clash through cyberattacks, missile…
ENISA’s Cybersecurity Exercise Methodology helps organizations align with NIS2 and the EU Cybersecurity Act while…
Critical WordPress, BeyondTrust, Honeywell CCTV, and PUSR router vulnerabilities surfaced on underground forums, while CISA…
We use cookies to ensure that we give you the best experience on our website. If you continue to use this site we will assume that you are happy with it.