Security Market Segment LS
Friday, 03 July 2020 06:58

Lookout team finds surveillance tools targeting Uighurs for many years Featured

Lookout team finds surveillance tools targeting Uighurs for many years Image by andy chung from Pixabay

Threat researchers from the San Francisco-based security firm Lookout say they have discovered four Android surveillance tools that have been used to target the ethnic Uighur population in China for many years.

In a detailed and forensic report, researchers Apurva Kumar, Kristin Del Rosso, Justin Albrecht and Christoph Hebeisen said the four inter-connected tools were parts of a much larger mobile advanced persistent threat that showed evidence of having been active since 2013.

The Lookout report, which also listed Katie Kleemola, Michael Flossman and Andrew Blaich as contributors, said the researchers had been monitoring the surveillance families — SilkBean, DoubleAgent, CarbonSteal and GoldenEagle — as far back as 2015.

The 52-page report said the threat actors behind the surveillance had at least four other tools publicly known as HenBox, PluginPhantom, Spywaller and DarthPusher.

By looking at the surveillanceware apps, the certificates used to sign them and the command and control infrastructure used, they said they had found connections between the malware tools and the threat actors.

Additionally, they said that there was evidence showing some of the mAPT activity they had found was associated with desktop APT activity in China, a growing trend.


The connections between the four novel and publicly unknown Android surveillance tools. Courtesy Lookout

Apart from China-based Uighurs, the Lookout researchers said there was also evidence indicating that these tools had been used to target members of the same ethnic group living outside China, Tibetans and Muslims around the globe.

Evidence suggested Uighur communities in at least 14 other countries could also be targeted and the content within malware samples referenced local services and news outlets in countries like Turkey, Syria, Kuwait, Indonesia and Kazakhstan.

The researchers said the names of the apps and their functionality indicated that those targeted spoke a number of languages: Uighur (in all its four scripts: Arabic, Russian, Uighur Cyrillic and Chinese), English, Arabic, Chinese, Turkish, Pashto, Persian, Malay, Indonesian, Uzbek and Urdu/Hindi.

Another finding was that the targeting timeline seemed to align with national security directives issued by China and Beijing's counter-terrorism efforts. The four Lookout researchers said they had noticed a peak in malware development in 2015 which coincided with the “Strike Hard Campaign against Violent Terrorism” (严厉打击暴力恐怖活动专项行动) in Xinjiang that began in May 2014, and also the creation of the National Security Strategic Guidelines, the National Security Law and the Counterterrorism Law in 2015.


Icons of some trojanised apps used to transmit the GoldenEagle surveillanceware. Courtesy Lookout

Apart from all this, Kumar, Del Rosso, Albrecht and Hebeisen said the languages, countries and services targeted by the mAPT aligned with China's official list of 26 "sensitive countries", adding that public reporting has pointed to this list as being used by Chinese authorities when deciding on targets.

"During our research, we found evidence of at least 14 of the 26 countries being targeted by the malware campaigns discussed in this report," the researchers added.

The primary task of the four surveillanceware apps was to gather and send personal user data to a command and control centre, they said.

"Overlap of non-compromised signing certificates indicates that a combination of these tools are being used in tandem by a single group of mAPT actors to target Uighurs and other Muslim populations around the world," they added.

One app, in particular, was notable for the number of trojanised versions of other apps in which it was hidden. The level of technical investment and the longevity of operations showed GoldenEagle was managed by a well-resourced adversary, the researchers concluded..

One positive finding was that none of the Android apps were available on the official Google PlayStore.

The report goes into forensic detail about the apps, they way they operate. their development and the evidence that guided the researchers in coming to their conclusions. One cannot go into all the details here, but it is well worth a careful read.

Subscribe to Newsletter here


Recently iTWire remodelled and relaunched how we approach "Sponsored Content" and this is now referred to as "Promotional News and Content”.

This repositioning of our promotional stories has come about due to customer focus groups and their feedback from PR firms, bloggers and advertising firms.

Your Promotional story will be prominently displayed on the Home Page.

We will also provide you with a second post that will be displayed on every page on the right hand side for at least 6 weeks and also it will appear for 4 weeks in the newsletter every day that goes to 75,000 readers twice daily.



It's all about Webinars.

These days our customers Advertising & Marketing campaigns are mainly focussed on Webinars.

If you wish to promote a Webinar we recommend at least a 2 week campaign prior to your event.

The iTWire campaign will include extensive adverts on our News Site and prominent Newsletter promotion and Promotional News & Editorial.

For covid-19 assistance we have extended terms, a Webinar Business Booster Pack and other supportive programs.

We look forward to discussing your campaign goals with you. Please click the button below.


Sam Varghese

website statistics

Sam Varghese has been writing for iTWire since 2006, a year after the site came into existence. For nearly a decade thereafter, he wrote mostly about free and open source software, based on his own use of this genre of software. Since May 2016, he has been writing across many areas of technology. He has been a journalist for nearly 40 years in India (Indian Express and Deccan Herald), the UAE (Khaleej Times) and Australia (Daily Commercial News (now defunct) and The Age). His personal blog is titled Irregular Expression.





Guest Opinion

Guest Interviews

Guest Research & Case Studies

Channel News