New Android Spyware Tools Emergency in Widespread Surveillance Campaign
Researchers have uncovered a surveillance campaign that dates back to at least 2013, using a slew of Android surveillance tools to spy on the Uyghur ethnic minority group.
The campaign uses three never-before-seen Android surveillance tools, dubbed SilkBean, GoldenEagle and CarbonSteal, and one previously-revealed DoubleAgent. The purpose of these tools is to collect and exfilt personal user data from attacker-operated command-and - control (C2) servers.
"Many samples of these malware tools have been trojanized legitimate apps, i.e. the malware has maintained full functionality of applications that have been impersonated in addition to its hidden malicious capabilities," said Apurva Kumar, Christoph Hebeisen and Kristin Del Rosso, Security Researchers at Lookout, in a Wednesday analysis.
Malware families have been used in widespread campaigns originating in China, targeting mainly Uyghurs, but also, to a lesser extent, Tibetans. The Uyghurs, a Turkish minority ethnic group affiliated with Central and East Asia, have previously been targeted by other spyware attacks, including the ActionSpy campaign seen as recently as June.
Researchers believe that Uyghurs were targeted due to the titles of the apps through which they were distributed and the in-app functionality of the spyware samples. Such titles include "Sarkuy" (Uyghur music service), "TIBBIYJAWHAR" (Uyghur pharmaceutical app) and "Tawarim" (Uyghur e-commerce website). Researchers say that surveillance apps in the campaign were likely to be distributed through a combination of targeted phishing and fake third-party app stores – but fortunately, they haven't been found on official app marketplaces like Google Play.