A new Android malware used to spy on the Uyghur Community

Experts spotted new Android spyware that was used by China-linked threat actors to spy on the Uyghur community in China.

Researchers from Cyble Research & Intelligence Labs (CRIL) started their investigation after MalwareHunterTeam experts shared information about a new Android malware used to spy on the Uyghur community.

The malware disguised as a book titled “The China Freedom Trap,” which is a biography written by the exiled Uyghur leader Dolkun Isa.

“In light of the ongoing conflict between the Government of the People’s Republic of China and the Uyghur community, the malware disguised as the book is a lucrative bait employed by threat actors (TAs) to spread malicious infection in the targeted community.” reads the analysis published by Cyble. “Upon performing behavioral analysis, we observed that this malware has an icon similar to the cover page of the book known as The China Freedom Trap written by Dolkun Isa, and on opening the app, the user is shown a few pages of the book including the cover page, an introduction to the book and its author, along with a condolence letter at the end.”

The app allows to steal device information, SMSs, contacts’ data, call logs, and neighboring cell information. The malicious code is also able to capture the device screen and take pictures from the device’s camera.

The malware steals information from the infected devices based on the commands received from the C2 server. Upon launching the application for the first time, the malware checks the android device SDK version. If the version is below 29, the malicious hides its icon from the device screen and runs in the background. If the device version is greater than 29, it opens the rd.pdf file present in the APK resources, which contains the cover page, the introduction of the book and the author, and a condolence letter.

The package name is “com.emc.pdf,” its manifest shows that the malicious code requests 27 different permissions from the user, and abuses at least 13 of them.

“TAs are leveraging various methods, including regional and biogeographical conflicts, to fulfill their malicious intents. In this case, they are seen taking advantage of the Uyghur–Chinese conflict to target unsuspecting individuals.” concludes the report. “According to our research, this type of malware is only distributed via sources other than Google Play Store. As a result, practicing basic cyber hygiene across mobile devices and online banking applications is a good way to prevent such malware from compromising your devices.”

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Uyghur community)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.