Kaspersky uncovers trojan spread by "spear-phish" to Tibet activists.
Malware used to spy on Tibetan activists and other ethnic groups in
China is nothing new. But a new Trojan discovered by researchers at
Kaspersky Labs has widened the scope of this digital espionage and
intimidation. The malware uses a combination of e-mail hacking, "spear
phishing," and a Trojan built specifically for Android smartphones. Kaspersky claims this is the first discovery of a targeted attack that uses mobile phone malware.
On March 25, the e-mail account of a Tibetan activist was hacked and
then used to distribute Android malware to the activist's contact list.
The e-mail's lure was a statement on the recent conference organized by
the World Uyghur Congress
that brought together Chinese democracy activists and Tibet, Southern
Mongolia, and East Turkestan human rights activists. The e-mail claimed
to have an attachment that was a joint letter from WUC, the Unrepresented Nations and Peoples Organization, and the Society for Threatened Peoples. If the targets opened the attachment, however, they received malware packaged in an Android APK file.
When opened, the Trojan installs an app called "Conference" on
the Android devices' desktops. If the app is launched, it displays a
fake message from the chairman of the WUC—while sending back a message
to a command and control server to report its successful installation.
The malware provides a backdoor to the device via SMS messages sent by
the server. On command, it returns the phone's contact lists, call logs,
data about the smartphone, its geo-location data, and any SMS messages
stored on it to a server via a Web POST upload.
The server itself is running on a Chinese-language configured Windows
Server 2003 machine sitting in a data center in Los Angeles. In
addition to providing an upload point for the data stolen from Android
devices, it also hosts more Android malware in its home page and
provides a public Web interface (in Chinese) that allows direct control
over phones that have been infected with the malware. While the server
itself is at an IP address registered to a company called Emagine Concept,
a domain pointed at the machine is registered to Shanghai Meicheng
Technology Information Development Co., Ltd., a Chinese company with a
contact in Beijing.
Original Article: Ars Technica
No comments:
Post a Comment