First APT attack on Android targeted Tibetan & Uyghur activists

Read about APT attacks has become customary, even easier to hear of attacks against political dissidents or minorities as Tibetan and Uyghur activists, but never before has been exploited the Android platform for this type of offensive.

In the past Tibetan minorities have been already targeted with malware able to infect Windows and Mac OSs, today researchers at Kaspersky Lab revealed an APT attack that targeted Android devices.

“Until now, we haven’t seen targeted attacks against mobile phones, although we’ve seen indications that these were in development,”

The report states:

“Every day, there are hundreds if not thousands of targeted attacks against Tibetan and Uyghur supporters,” “The vast majority of these target Windows machines through Word documents exploiting known vulnerabilities such as CVE20120158, CVE20103333 and CVE20093129.”

As usual, the attackers started the operation gaining access to an email account of one of the victims, a high profile Tibetan activist, to send spear phishing emails to all the individuals directly connected to this one.

The attackers hacked the first account on March 24th, 2013 to send to the victim’s contact list a malicious Android Package (APK) attachment titled “WUC’s Conference.apk”.

The attacks is based on social engineering technique to catch victim’s attention with a topic of interest such as an email having as subject a human rights conference event in Geneva.

When user opens the apk file, the Android package is installed on the device and on its desktop appears an application named “Conference” as shown in the following picture.

At this point it is sufficient that victim executes the app to activate the malware code that contacts the Command & Control server located in the US, Los Angeles, and sends it the data acquired from the device.

The malware sends out data to the C&C server when control structure send it an instruction via SMS messages that contains one of the following commands: “sms”, “contact”, “location”, “other”.

In the same time to the victim is presented a fake message from “Dolkun lsa Chairman of the Executive Committee Word Uyghur Congress”.

Analyst at Kaspersky discovered a domain that points to the same C&C server IP address: “DlmDocumentsExchange(dot)com” registered on March 8th, 2013 to “peng jia” with an email address bdoufwke123010(at)gmail.com.

The C&C server is hosting an index page that serves up an APK file named “Document.apk” that is the equivalent of the Conference.apk but uses text in Chinese and it proposes information on the dispute between China and Japan on “Senkaku Islands / Diaoyudao Islands / Diaoyutai Islands”.

The researches of Kaspersky highlight the fact that attacker used wrongly the word “Word” instead of “World” in the message, confirming the hypothesis that the attackers may not be English-speaking, The command and control server has Windows Server 2003 OS and uses Chinese language suggesting involvement of Chinese individuals.

The hackers collect various information related to the victims such as contacts, communication data (SMS messages and call logs), geolocation and info on the targeted mobile (OS, SDK version, and model), all the data are sent to the C&C in encoded Base64 format.

Analyzing the code security experts noted that authors log various procedure of the malware, probably for debugging purposed, circumstance that suggests that the malicious code may be a prototypal version.

Security experts at Kaspersky have no doubts, this is perhaps the first in a new wave of targeted attacks aimed at Android users that will exploit zero-day vulnerabilities, exploits or a combination of techniques.

The post concluded with the following statement

“For now, the best protection is to avoid any APK attachments that arrive on mobile phones via e-mail.”

For completeness of information I report that malware used in this attack as been dubbed “Backdoor.AndroidOS.Chuli.a.”, its digests are

MD5s:

c4c4077e9449147d754afd972e247efc Document.apk
0b8806b38b52bebfe39ff585639e2ea2 WUC’s Conference.apk

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs – Uyghur, hacking)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.