Cyble-Malware-Spyware-Campaign-Targeting-Uyghur-Community-China

Spyware Campaign Targeting The Uyghur Community

Android Malware Disguised as “The China Freedom Trap” & Stealing Neighboring Cell Information

During our routine threat hunting exercise, Cyble Research & Intelligence Labs (CRIL) came across a Twitter post wherein security researchers shared information about an Android malware purportedly designed to target the Uyghur community, a Turkic ethnic group originating from Central and East Asia, under the guise of the book The China Freedom Trap.

“The China Freedom Trap” is a personal and political account of the president of the Uyghur Congress, Dolkun Isa, which details his experiences and struggles in fighting crimes against Uyghurs, currently recognized as one of the 55 officially recognized ethnic minorities.

In light of the ongoing conflict between the Government of the People’s Republic of China and the Uyghur community, the malware disguised as the book is a lucrative bait employed by threat actors (TAs) to spread malicious infection in the targeted community.

Upon performing behavioral analysis, we observed that this malware has an icon similar to the cover page of the book known as The China Freedom Trap written by Dolkun Isa, and on opening the app, the user is shown a few pages of the book including the cover page, an introduction to the book and its author, along with a condolence letter at the end.  

We identified several sophisticated features that the malicious app leverages to steal device information, SMSes, Contacts data, call logs, and neighboring cell information. Among other features, the malicious app can also capture the device screen and take pictures from the device’s camera, etc.

Technical Analysis

APK Metadata Information

  • App Name:  The China Freedom Trap
  • Package Name: com.emc.pdf
  • SHA256 Hash: fd99acc504649e8e42687481abbceb71c730f0ab032357d4dc1e95a6ef8bb7ca

Figure 1 shows the metadata information of the application.

Figure 1 – App Metadata Information

Manifest Description

The malware requests 27 different permissions from the user, of which, it abuses at least 13. These dangerous permissions are listed below.

PermissionsDescription
ACCESS_NETWORK_STATEAllows the app to view information about network connections
READ_PHONE_STATEAllows access to phone state, including the current cellular network information, the phone number and the serial number of this phone, the status of any ongoing calls, and a list of any Phone Accounts registered on the device
READ_SMSAccess phone messages
WRITE_SMSAllows the app to modify or delete SMS
READ_CONTACTSAccess phone contacts
PROCESS_OUTGOING_CALLSAllows the app to process outgoing calls and modify the dialing number
WRITE_EXTERNAL_STORAGEAllows the app to write or delete files to the external storage of the device
READ_CALL_LOGAccess phone call logs
RECORD_AUDIOAllows the app to record audio with the microphone, which can be misused by attackers
ACCESS_COARSE_LOCATIONAllows the app to get the approximate location of the device network sources such as cell towers and Wi-Fi
ACCESS_FINE_LOCATIONAllows the app to get the precise location of the device using the Global Positioning System (GPS)
GET_ACCOUNTSAllows the app to get the list of accounts used by the phone
READ_HISTORY_BOOKMARKSAllows the app to read the Browser’s history and bookmarks

Source Code Review

Our static analysis indicated that the malware steals information from the infected devices based on the commands received from the TA’s Command and Control (C&C) server.

While launching the application for the first time, the malware checks the android device SDK version. If the version is below 29, the malware hides its icon from the device screen and runs silently in the background. The code snippet below is used to hide the app’s icon.

Figure 2 – Code to Hide App Icon

If the Android device version is more than 29, it opens the rd.pdf file present in the APK resources.

Figure 3 – App Opens PDF

The file rd.pdf contains the cover page, the introduction of the book and the author, and a condolence letter, as shown in figures 4 and 5.

Figure 4 – rd.pdf File
Figure 5 – Condolence Letter

After execution, the malware checks for internet connectivity in the device and fetches information, such as Wi-Fi, DHCP, etc.

Figure 6 – Code to Get Internet Connectivity Info

The image below contains the code through which the malware can get phone information such as network operator details and device location from GSM or CDMA connection. Most importantly, the malware has a code that can fetch the neighboring cell information, including Received Signal Strength and Cell ID location.

Figure 7 – Code to Get Phone Info

The malware also reads the phone information including the SIM’s IMEI, serial number, sim operator information, etc., as shown in the figure below.

Figure 8 – Code to get SIM Information

The code snippet below depicts the malware’s ability to get the details of the running processes in the device.

Figure 9 – Code to Get Information of Running Processes

The malware uses the code below to collect the victim’s SMS data. Attackers can use stolen SMS data to perform various malicious activities such as stealing contact details, bypassing two-factor authentication, etc.

Figure 10 – Code to Collect SMSes

Through the code showcased below, the spyware collects the contact information saved on the victim’s device. After collecting the contact data, TAs can further extend their target or execute various malicious campaigns on those contacts.

Figure 11 – Code to Collect Contacts Data

The code snippet below shows the malware’s capability to collect call logs from the victim’s device.

Figure 12 – Code to Collect Call Logs

The malicious app can also make outgoing calls from the victim device without the user’s knowledge, as shown in the figure below.

Figure 13 – Code to Make Call

Through the spyware, TAs can send SMSes to other numbers with SMS content provided from the C&C server. TAs can use this feature to send spam messages or extend their campaign by sending malicious links.

Figure 14  – Code to Send SMS

The code snippet shown below is used by the malware to delete SMSes and call logs from the victim device.

Figure 15  – Code to Delete SMS and call logs

Furthermore, the malware captures the screen of the victim device and sends it to the TA’s C&C server.

Figure 16 – Code to Capture Device Screen

The code below is used by the malware to check if the camera is present in the device. In cases where the camera is available, this code enables the malware to take pictures and upload them to the TA’s C&C server.

Figure 17 – Code to Capture Image Using Camera

The malware connects to the TA’s server to receive commands and send data from the victim’s device.

Figure 18 – Command & Control URL

Conclusion

TAs are leveraging various methods, including regional and biogeographical conflicts, to fulfill their malicious intents. In this case, they are seen taking advantage of the Uyghur–Chinese conflict to target unsuspecting individuals.

According to our research, this type of malware is only distributed via sources other than Google Play Store. As a result, practicing basic cyber hygiene across mobile devices and online banking applications is a good way to prevent such malware from compromising your devices.

Our Recommendations

We have listed some essential cybersecurity best practices that create the first line of control against attackers. We recommend that our readers follow the best practices given below:  

How to prevent malware infection?

  • Download and install software only from official app stores like Google Play Store or the iOS App Store.
  • Use a reputed anti-virus and internet security software package on your connected devices, such as PCs, laptops, and mobile devices.
  • Use strong passwords and enforce multi-factor authentication wherever possible.
  • Enable biometric security features such as fingerprint or facial recognition for unlocking the mobile device where possible.
  • Be wary of opening any links received via SMS or emails delivered to your phone.
  • Ensure that Google Play Protect is enabled on Android devices.
  • Be careful while enabling any permissions.
  • Keep your devices, operating systems, and applications updated.

How to identify whether you are infected?

  • Regularly check the Mobile/Wi-Fi data usage of applications installed on mobile devices.
  • Keep an eye on the alerts provided by Anti-viruses and Android OS and take necessary actions accordingly.

What to do when you are infected?

  • Disable Wi-Fi/Mobile data and remove SIM cards – as in some cases, the malware can re-enable the Mobile Data.
  • Perform a factory reset.
  • Remove the application in case a factory reset is not possible.
  • Take a backup of personal media Files (excluding mobile applications) and perform a device reset.

What to do in case of any fraudulent transaction?

  • In case of a fraudulent transaction, immediately report it to the concerned bank.

What should banks do to protect their customers?

  • Banks and other financial entities should educate customers on safeguarding themselves from malware attacks via telephone, SMS, or emails.

MITRE ATT&CK® Techniques

TacticTechnique IDTechnique Name
Initial AccessT1476Deliver Malicious App via Other Mean.
Initial AccessT1444Masquerade as Legitimate Application
ExecutionT1575Native Code
CollectionT1636.004
T1636.003
T1636.002
T1513
Capture SMS Messages
Capture Contact List
Capture Call Logs
Capture Screen
Command and ControlT1436Commonly Used Port

Indicators of Compromise (IoCs)

IndicatorsIndicator TypeDescription
a38e8d70855412b7ece6de603b35ad63MD5Malicious APK
92118623c417c7b9c46b99ae71424198327698a8SHA1Malicious APK
fd99acc504649e8e42687481abbceb71c730f0ab032357d4dc1e95a6ef8bb7caSHA256Malicious APK
blackbeekey.comURLC&C URL
Scroll to Top