Android Malware Infects Activists' Phones - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


Android Malware Infects Activists' Phones

Targeted, data-stealing attack launched via Tibetan activist's email account leads to Chinese server in Los Angeles, says Kaspersky Lab.

Anonymous: 10 Things We Have Learned In 2013
Anonymous: 10 Things We Have Learned In 2013
(click image for larger view and for slideshow)
Security researchers have discovered what appears to be the first known sighting of in-the-wild Android malware that's been designed to conduct targeted attacks.

"Until now, we haven't seen targeted attacks against mobile phones, although we've seen indications that these were in development," Kaspersky Lab researchers Costin Raiu, Kurt Baumgartner and Denis Maslennikov said in a blog post.

The related Android malware spear-phishing attacks appeared to commence after attackers hacked into a top activist's email account. "Several days ago, the e-mail account of a high-profile Tibetan activist was hacked and used to send targeted attacks to other activists and human rights advocates," said the researchers. "Perhaps the most interesting part is that the attack e-mails had an APK attachment -- a malicious program for Android."

[ Should you be worried? Read Malware Writers Prefer Android. ]

The spear-phishing email used in the attacks referred to a recently held human rights conference organized by Uyghur, Mongolian, Tibetan and Chinese activists in Geneva, Switzerland. Attached to the email was a small Android Package (APK) file named "WUC's Conference.apk." If executed, the application displays a message about the event, while also surreptitiously establishing a backdoor between the Android system and the malware's controllers.

"While the victim reads this fake message, the malware secretly reports the infection to a command-and-control server," said Kaspersky Lab. "After that, it begins to harvest information stored on the device." Harvested information includes contacts stored on phone and SIM card, call logs, SMS messages, GPS coordinates and phone system information.

But the malware doesn't immediately exfiltrate the harvested data. "It is important to note that the data won't be uploaded to [the] C&C server automatically," according to the Kaspersky Lab researchers. "The Trojan waits for incoming SMS messages and checks whether these messages contain one of the following commands: "sms," "contact," "location," "other." If one these commands is found, then the malware will encode the stolen data with Base64 and upload it to the command and control server."

The command-and-control (C&C) server -- which is running Windows Server 2003 and set to use the Chinese language -- that the malware communicates with is hosted by Emagine Concept Inc. in Los Angeles. Until recently, a domain registered in Beijing also pointed to the C&C server.

According to Kaspersky Lab, the C&C server offers a Chinese-language-based Web interface for controlling malware-infected Android devices infected. Available commands include viewing or uninstalling all malware on an Android device, using SMS to refresh the list of infected smartphones, viewing the GPS coordinates of a smartphone, as well as viewing the software installed on any given phone, which Kaspersky Lab said would be used to facilitate the hijacking of specific software applications, such as a target's email account.

Interestingly, the C&C server also contains an index page with another version of the malicious APK file. This second version refers to discussions between China and Japan about ownership of a set of islands.

By all indications, the developers and controllers of the malware are Chinese speakers. "Throughout the code, the attackers log all important actions, which include various messages in Chinese," said Kaspersky Lab. "This was probably done for debugging purposes, indicating the malware may be an early prototype version."

Espionage malware has long been used to track political activists. Last year, for example, researchers reported that FinFisher spyware developed and sold by U.K.-based Gamma Group -- and which can infect iPhones, Android smartphones, BlackBerrys and other mobile devices -- was being used by autocratic regimes, including the Assad regime in Syria and the government of the Gulf state of Bahrain, to actively monitor dissidents.

But the social-engineering attack discovered by Kaspersky Lab suggests that attackers are growing more adept at developing their own low-cost attacks to target specific mobile devices. "So far, the attackers relied entirely on social engineering to infect the targets. History has shown us that, in time, these attacks will use zero-day vulnerabilities, exploits or a combination of techniques," said the researchers. "For now, the best protection is to avoid any APK attachments that arrive on mobile phones via e-mail."

Protect the most fragile part of your IT infrastructure -- the endpoints and the unpredictable users who control them. Also in the new, all-digital How To Sharpen Endpoint Security special issue of Dark Reading: Some say the focus should be on education to deal with the endpoint security conundrum; some say technology. But it's not a binary choice. (Free with registration.)

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
COVID-19: Using Data to Map Infections, Hospital Beds, and More
Jessica Davis, Senior Editor, Enterprise Apps,  3/25/2020
Enterprise Guide to Robotic Process Automation
Cathleen Gagne, Managing Editor, InformationWeek,  3/23/2020
How Startup Innovation Can Help Enterprises Face COVID-19
Joao-Pierre S. Ruth, Senior Writer,  3/24/2020
White Papers
Register for InformationWeek Newsletters
State of the Cloud
State of the Cloud
Cloud has drastically changed how IT organizations consume and deploy services in the digital age. This research report will delve into public, private and hybrid cloud adoption trends, with a special focus on infrastructure as a service and its role in the enterprise. Find out the challenges organizations are experiencing, and the technologies and strategies they are using to manage and mitigate those challenges today.
Current Issue
IT Careers: Tech Drives Constant Change
Advances in information technology and management concepts mean that IT professionals must update their skill sets, even their career goals on an almost yearly basis. In this IT Trend Report, experts share advice on how IT pros can keep up with this every-changing job market. Read it today!
Flash Poll