Malware and spyware attacks on Chinese dissident groups have usually been focused on PC, Mac, or email accounts. But now specially-made infectious Android apps are a threat as well. Security researchers at Kaspersky say they’ve found a targeted malware attack on Android phones that seems to come from China. It seeks to steal information like contacts, call logs, and SMS of people who work in the field of human rights, especially related to China’s Tibet and Xinjiang provinces.
It started earlier this week when, the Kaspersky team explains, “the e-mail account of a high-profile Tibetan activist was hacked and used to send spear phishing e-mails to their contact list.” Attached to those mails is malware masquerading as a useful app related to an event with the file-name “WUC’s Conference.apk”. If a user downloads and installs the file (as needs to be done with any Android app), it “secretly reports the infection to a command-and-control server” and begins stealing infomation on the human rights worker, such as:
- Contacts (stored both on the phone and the SIM card)
- Call logs
- SMS messages
- Phone data (phone number, OS version, phone model, SDK version)
Although the app looks basic, the researchers find that it’s pretty efficient at its sole task of harvesting information on the phone’s users and his/her network of contacts.
Aside from this Android spyware attacking groups of which Chinese authorities have long been wary, what’s the proof of the nation’s involvement? Though the malware’s command-and-control server points to Los Angeles in the US, the server is newly registered to a company named Shanghai Meicheng that’s actually registered in Beijing. Plus, within the app itself the security team found lines of Chinese text in the logs. Kaspersky warns on its blog:
It is perhaps the first in a new wave of targeted attacks aimed at Android users. So far, the attackers relied entirely on social engineering to infect the targets. History has shown us that, in time, these attacks will use zero-day vulnerabilities, exploits or a combination of techniques.
Politically-motivated hack attacks caused yet another kerfuffle for Google in China back in the summer of 2011. On that occasion, a vulnerability in Adobe Flash tweaked the Gmail settings of infected users – it seemed aimed at foreign journalists in China – to forward email to a mysterious Big Brother.
Obviously it’s best not to install “.apk” files from unknown sources. If you really must, at least Android clearly displays an apps’ ‘permissions’ in the review screen before any app is installed, so excessive permissions – like “read contacts” – are a useful warning sign. Thankfully, the spyware Android apps cannot run and execute automagically (as happens on Windows), but activists and journalists working in this area still need to be cautious.