Android Malware Infects Activists' Phones

Targeted, data-stealing attack launched via Tibetan activist's email account leads to Chinese server in Los Angeles, says Kaspersky Lab.
Anonymous: 10 Things We Have Learned In 2013
Anonymous: 10 Things We Have Learned In 2013
(click image for larger view and for slideshow)
Security researchers have discovered what appears to be the first known sighting of in-the-wild Android malware that's been designed to conduct targeted attacks.

"Until now, we haven't seen targeted attacks against mobile phones, although we've seen indications that these were in development," Kaspersky Lab researchers Costin Raiu, Kurt Baumgartner and Denis Maslennikov said in a blog post.

The related Android malware spear-phishing attacks appeared to commence after attackers hacked into a top activist's email account. "Several days ago, the e-mail account of a high-profile Tibetan activist was hacked and used to send targeted attacks to other activists and human rights advocates," said the researchers. "Perhaps the most interesting part is that the attack e-mails had an APK attachment -- a malicious program for Android."

[ Should you be worried? Read Malware Writers Prefer Android. ]

The spear-phishing email used in the attacks referred to a recently held human rights conference organized by Uyghur, Mongolian, Tibetan and Chinese activists in Geneva, Switzerland. Attached to the email was a small Android Package (APK) file named "WUC's Conference.apk." If executed, the application displays a message about the event, while also surreptitiously establishing a backdoor between the Android system and the malware's controllers.

"While the victim reads this fake message, the malware secretly reports the infection to a command-and-control server," said Kaspersky Lab. "After that, it begins to harvest information stored on the device." Harvested information includes contacts stored on phone and SIM card, call logs, SMS messages, GPS coordinates and phone system information.

But the malware doesn't immediately exfiltrate the harvested data. "It is important to note that the data won't be uploaded to [the] C&C server automatically," according to the Kaspersky Lab researchers. "The Trojan waits for incoming SMS messages and checks whether these messages contain one of the following commands: "sms," "contact," "location," "other." If one these commands is found, then the malware will encode the stolen data with Base64 and upload it to the command and control server."

The command-and-control (C&C) server -- which is running Windows Server 2003 and set to use the Chinese language -- that the malware communicates with is hosted by Emagine Concept Inc. in Los Angeles. Until recently, a domain registered in Beijing also pointed to the C&C server.

According to Kaspersky Lab, the C&C server offers a Chinese-language-based Web interface for controlling malware-infected Android devices infected. Available commands include viewing or uninstalling all malware on an Android device, using SMS to refresh the list of infected smartphones, viewing the GPS coordinates of a smartphone, as well as viewing the software installed on any given phone, which Kaspersky Lab said would be used to facilitate the hijacking of specific software applications, such as a target's email account.

Interestingly, the C&C server also contains an index page with another version of the malicious APK file. This second version refers to discussions between China and Japan about ownership of a set of islands.

By all indications, the developers and controllers of the malware are Chinese speakers. "Throughout the code, the attackers log all important actions, which include various messages in Chinese," said Kaspersky Lab. "This was probably done for debugging purposes, indicating the malware may be an early prototype version."

Espionage malware has long been used to track political activists. Last year, for example, researchers reported that FinFisher spyware developed and sold by U.K.-based Gamma Group -- and which can infect iPhones, Android smartphones, BlackBerrys and other mobile devices -- was being used by autocratic regimes, including the Assad regime in Syria and the government of the Gulf state of Bahrain, to actively monitor dissidents.

But the social-engineering attack discovered by Kaspersky Lab suggests that attackers are growing more adept at developing their own low-cost attacks to target specific mobile devices. "So far, the attackers relied entirely on social engineering to infect the targets. History has shown us that, in time, these attacks will use zero-day vulnerabilities, exploits or a combination of techniques," said the researchers. "For now, the best protection is to avoid any APK attachments that arrive on mobile phones via e-mail."

Protect the most fragile part of your IT infrastructure -- the endpoints and the unpredictable users who control them. Also in the new, all-digital How To Sharpen Endpoint Security special issue of Dark Reading: Some say the focus should be on education to deal with the endpoint security conundrum; some say technology. But it's not a binary choice. (Free with registration.)

Editor's Choice
Samuel Greengard, Contributing Reporter
Cynthia Harvey, Freelance Journalist, InformationWeek
Carrie Pallardy, Contributing Reporter
John Edwards, Technology Journalist & Author
Astrid Gobardhan, Data Privacy Officer, VFS Global
Sara Peters, Editor-in-Chief, InformationWeek / Network Computing