A new Android malware used to spy on the Uyghur Community

Pierluigi Paganini September 06, 2022

Experts spotted new Android spyware that was used by China-linked threat actors to spy on the Uyghur community in China.

Researchers from Cyble Research & Intelligence Labs (CRIL) started their investigation after MalwareHunterTeam experts shared information about a new Android malware used to spy on the Uyghur community.

The malware disguised as a book titled “The China Freedom Trap,” which is a biography written by the exiled Uyghur leader Dolkun Isa.

“In light of the ongoing conflict between the Government of the People’s Republic of China and the Uyghur community, the malware disguised as the book is a lucrative bait employed by threat actors (TAs) to spread malicious infection in the targeted community.” reads the analysis published by Cyble. “Upon performing behavioral analysis, we observed that this malware has an icon similar to the cover page of the book known as The China Freedom Trap written by Dolkun Isa, and on opening the app, the user is shown a few pages of the book including the cover page, an introduction to the book and its author, along with a condolence letter at the end.”

The app allows to steal device information, SMSs, contacts’ data, call logs, and neighboring cell information. The malicious code is also able to capture the device screen and take pictures from the device’s camera.

The malware steals information from the infected devices based on the commands received from the C2 server. Upon launching the application for the first time, the malware checks the android device SDK version. If the version is below 29, the malicious hides its icon from the device screen and runs in the background. If the device version is greater than 29, it opens the rd.pdf file present in the APK resources, which contains the cover page, the introduction of the book and the author, and a condolence letter.

uyghur spyware

The package name is “com.emc.pdf,” its manifest shows that the malicious code requests 27 different permissions from the user, and abuses at least 13 of them. 

“TAs are leveraging various methods, including regional and biogeographical conflicts, to fulfill their malicious intents. In this case, they are seen taking advantage of the Uyghur–Chinese conflict to target unsuspecting individuals.” concludes the report. “According to our research, this type of malware is only distributed via sources other than Google Play Store. As a result, practicing basic cyber hygiene across mobile devices and online banking applications is a good way to prevent such malware from compromising your devices.”

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Uyghur community)

[adrotate banner=”5″]

[adrotate banner=”13″]

you might also like

leave a comment