In a detailed and forensic report, researchers Apurva Kumar, Kristin Del Rosso, Justin Albrecht and Christoph Hebeisen said the four inter-connected tools were parts of a much larger mobile advanced persistent threat that showed evidence of having been active since 2013.
The Lookout report, which also listed Katie Kleemola, Michael Flossman and Andrew Blaich as contributors, said the researchers had been monitoring the surveillance families — SilkBean, DoubleAgent, CarbonSteal and GoldenEagle — as far back as 2015.
The 52-page report said the threat actors behind the surveillance had at least four other tools publicly known as HenBox, PluginPhantom, Spywaller and DarthPusher.
Additionally, they said that there was evidence showing some of the mAPT activity they had found was associated with desktop APT activity in China, a growing trend.
The connections between the four novel and publicly unknown Android surveillance tools. Courtesy Lookout
Apart from China-based Uighurs, the Lookout researchers said there was also evidence indicating that these tools had been used to target members of the same ethnic group living outside China, Tibetans and Muslims around the globe.
Evidence suggested Uighur communities in at least 14 other countries could also be targeted and the content within malware samples referenced local services and news outlets in countries like Turkey, Syria, Kuwait, Indonesia and Kazakhstan.
The researchers said the names of the apps and their functionality indicated that those targeted spoke a number of languages: Uighur (in all its four scripts: Arabic, Russian, Uighur Cyrillic and Chinese), English, Arabic, Chinese, Turkish, Pashto, Persian, Malay, Indonesian, Uzbek and Urdu/Hindi.
Another finding was that the targeting timeline seemed to align with national security directives issued by China and Beijing's counter-terrorism efforts. The four Lookout researchers said they had noticed a peak in malware development in 2015 which coincided with the “Strike Hard Campaign against Violent Terrorism” (严厉打击暴力恐怖活动专项行动) in Xinjiang that began in May 2014, and also the creation of the National Security Strategic Guidelines, the National Security Law and the Counterterrorism Law in 2015.
Icons of some trojanised apps used to transmit the GoldenEagle surveillanceware. Courtesy Lookout
Apart from all this, Kumar, Del Rosso, Albrecht and Hebeisen said the languages, countries and services targeted by the mAPT aligned with China's official list of 26 "sensitive countries", adding that public reporting has pointed to this list as being used by Chinese authorities when deciding on targets.
"During our research, we found evidence of at least 14 of the 26 countries being targeted by the malware campaigns discussed in this report," the researchers added.
The primary task of the four surveillanceware apps was to gather and send personal user data to a command and control centre, they said.
"Overlap of non-compromised signing certificates indicates that a combination of these tools are being used in tandem by a single group of mAPT actors to target Uighurs and other Muslim populations around the world," they added.
One app, in particular, was notable for the number of trojanised versions of other apps in which it was hidden. The level of technical investment and the longevity of operations showed GoldenEagle was managed by a well-resourced adversary, the researchers concluded..
One positive finding was that none of the Android apps were available on the official Google PlayStore.
The report goes into forensic detail about the apps, they way they operate. their development and the evidence that guided the researchers in coming to their conclusions. One cannot go into all the details here, but it is well worth a careful read.