Android Malware Disguised as “The China Freedom Trap” & Stealing Neighboring Cell Information
During our routine threat hunting exercise, Cyble Research & Intelligence Labs (CRIL) came across a Twitter post wherein security researchers shared information about an Android malware purportedly designed to target the Uyghur community, a Turkic ethnic group originating from Central and East Asia, under the guise of the book The China Freedom Trap.
“The China Freedom Trap” is a personal and political account of the president of the Uyghur Congress, Dolkun Isa, which details his experiences and struggles in fighting crimes against Uyghurs, currently recognized as one of the 55 officially recognized ethnic minorities.
In light of the ongoing conflict between the Government of the People’s Republic of China and the Uyghur community, the malware disguised as the book is a lucrative bait employed by threat actors (TAs) to spread malicious infection in the targeted community.
Upon performing behavioral analysis, we observed that this malware has an icon similar to the cover page of the book known as The China Freedom Trap written by Dolkun Isa, and on opening the app, the user is shown a few pages of the book including the cover page, an introduction to the book and its author, along with a condolence letter at the end.
We identified several sophisticated features that the malicious app leverages to steal device information, SMSes, Contacts data, call logs, and neighboring cell information. Among other features, the malicious app can also capture the device screen and take pictures from the device’s camera, etc.
Technical Analysis
APK Metadata Information
- App Name: The China Freedom Trap
- Package Name: com.emc.pdf
- SHA256 Hash: fd99acc504649e8e42687481abbceb71c730f0ab032357d4dc1e95a6ef8bb7ca
Figure 1 shows the metadata information of the application.
Manifest Description
The malware requests 27 different permissions from the user, of which, it abuses at least 13. These dangerous permissions are listed below.
| Permissions | Description |
| ACCESS_NETWORK_STATE | Allows the app to view information about network connections |
| READ_PHONE_STATE | Allows access to phone state, including the current cellular network information, the phone number and the serial number of this phone, the status of any ongoing calls, and a list of any Phone Accounts registered on the device |
| READ_SMS | Access phone messages |
| WRITE_SMS | Allows the app to modify or delete SMS |
| READ_CONTACTS | Access phone contacts |
| PROCESS_OUTGOING_CALLS | Allows the app to process outgoing calls and modify the dialing number |
| WRITE_EXTERNAL_STORAGE | Allows the app to write or delete files to the external storage of the device |
| READ_CALL_LOG | Access phone call logs |
| RECORD_AUDIO | Allows the app to record audio with the microphone, which can be misused by attackers |
| ACCESS_COARSE_LOCATION | Allows the app to get the approximate location of the device network sources such as cell towers and Wi-Fi |
| ACCESS_FINE_LOCATION | Allows the app to get the precise location of the device using the Global Positioning System (GPS) |
| GET_ACCOUNTS | Allows the app to get the list of accounts used by the phone |
| READ_HISTORY_BOOKMARKS | Allows the app to read the Browser’s history and bookmarks |
Source Code Review
Our static analysis indicated that the malware steals information from the infected devices based on the commands received from the TA’s Command and Control (C&C) server.
While launching the application for the first time, the malware checks the android device SDK version. If the version is below 29, the malware hides its icon from the device screen and runs silently in the background. The code snippet below is used to hide the app’s icon.
If the Android device version is more than 29, it opens the rd.pdf file present in the APK resources.
The file rd.pdf contains the cover page, the introduction of the book and the author, and a condolence letter, as shown in figures 4 and 5.
After execution, the malware checks for internet connectivity in the device and fetches information, such as Wi-Fi, DHCP, etc.
The image below contains the code through which the malware can get phone information such as network operator details and device location from GSM or CDMA connection. Most importantly, the malware has a code that can fetch the neighboring cell information, including Received Signal Strength and Cell ID location.
The malware also reads the phone information including the SIM’s IMEI, serial number, sim operator information, etc., as shown in the figure below.
The code snippet below depicts the malware’s ability to get the details of the running processes in the device.
The malware uses the code below to collect the victim’s SMS data. Attackers can use stolen SMS data to perform various malicious activities such as stealing contact details, bypassing two-factor authentication, etc.
Through the code showcased below, the spyware collects the contact information saved on the victim’s device. After collecting the contact data, TAs can further extend their target or execute various malicious campaigns on those contacts.
The code snippet below shows the malware’s capability to collect call logs from the victim’s device.
The malicious app can also make outgoing calls from the victim device without the user’s knowledge, as shown in the figure below.
Through the spyware, TAs can send SMSes to other numbers with SMS content provided from the C&C server. TAs can use this feature to send spam messages or extend their campaign by sending malicious links.
The code snippet shown below is used by the malware to delete SMSes and call logs from the victim device.
Furthermore, the malware captures the screen of the victim device and sends it to the TA’s C&C server.
The code below is used by the malware to check if the camera is present in the device. In cases where the camera is available, this code enables the malware to take pictures and upload them to the TA’s C&C server.
The malware connects to the TA’s server to receive commands and send data from the victim’s device.
Conclusion
TAs are leveraging various methods, including regional and biogeographical conflicts, to fulfill their malicious intents. In this case, they are seen taking advantage of the Uyghur–Chinese conflict to target unsuspecting individuals.
According to our research, this type of malware is only distributed via sources other than Google Play Store. As a result, practicing basic cyber hygiene across mobile devices and online banking applications is a good way to prevent such malware from compromising your devices.
Our Recommendations
We have listed some essential cybersecurity best practices that create the first line of control against attackers. We recommend that our readers follow the best practices given below:
How to prevent malware infection?
- Download and install software only from official app stores like Google Play Store or the iOS App Store.
- Use a reputed anti-virus and internet security software package on your connected devices, such as PCs, laptops, and mobile devices.
- Use strong passwords and enforce multi-factor authentication wherever possible.
- Enable biometric security features such as fingerprint or facial recognition for unlocking the mobile device where possible.
- Be wary of opening any links received via SMS or emails delivered to your phone.
- Ensure that Google Play Protect is enabled on Android devices.
- Be careful while enabling any permissions.
- Keep your devices, operating systems, and applications updated.
How to identify whether you are infected?
- Regularly check the Mobile/Wi-Fi data usage of applications installed on mobile devices.
- Keep an eye on the alerts provided by Anti-viruses and Android OS and take necessary actions accordingly.
What to do when you are infected?
- Disable Wi-Fi/Mobile data and remove SIM cards – as in some cases, the malware can re-enable the Mobile Data.
- Perform a factory reset.
- Remove the application in case a factory reset is not possible.
- Take a backup of personal media Files (excluding mobile applications) and perform a device reset.
What to do in case of any fraudulent transaction?
- In case of a fraudulent transaction, immediately report it to the concerned bank.
What should banks do to protect their customers?
- Banks and other financial entities should educate customers on safeguarding themselves from malware attacks via telephone, SMS, or emails.
MITRE ATT&CK® Techniques
| Tactic | Technique ID | Technique Name |
| Initial Access | T1476 | Deliver Malicious App via Other Mean. |
| Initial Access | T1444 | Masquerade as Legitimate Application |
| Execution | T1575 | Native Code |
| Collection | T1636.004 T1636.003 T1636.002 T1513 | Capture SMS Messages Capture Contact List Capture Call Logs Capture Screen |
| Command and Control | T1436 | Commonly Used Port |
Indicators of Compromise (IoCs)
| Indicators | Indicator Type | Description |
| a38e8d70855412b7ece6de603b35ad63 | MD5 | Malicious APK |
| 92118623c417c7b9c46b99ae71424198327698a8 | SHA1 | Malicious APK |
| fd99acc504649e8e42687481abbceb71c730f0ab032357d4dc1e95a6ef8bb7ca | SHA256 | Malicious APK |
| blackbeekey.com | URL | C&C URL |
