The campaign uses three never-before-seen Android surveillanceware tools, dubbed SilkBean, GoldenEagle and CarbonSteal, and one previously disclosed tool, DoubleAgent. The purpose of these tools is to gather and exfiltrate personal user data to attacker-operated command-and-control (C2) servers.
“Many samples of these malware tools were trojanized legitimate apps, i.e., the malware maintained complete functionality of the applications they were impersonating in addition to its hidden malicious capabilities,” said Lookout security researchers Apurva Kumar, Christoph Hebeisen and Kristin Del Rosso, in a Wednesday analysis.
The malware families were used in a widespread campaign that originated in China, which predominantly targeted Uyghurs, but also, to a lesser extent, Tibetans. The Uyghurs, a Turkic minority ethnic group affiliated with Central and East Asia, have previously been targeted in other spyware attacks, including by an ActionSpy campaign seen as recently as June.
Researchers believe that the Uyghurs were being targeted due to the titles of the apps through which they were spread, and the in-app functionality of the spyware samples. Such titles include “Sarkuy” (Uyghur music service), “TIBBIYJAWHAR” (Uyghur pharmaceutical app) and “Tawarim” (Uyghur e-commerce site). Researchers say, the surveillance apps in the campaign were likely distributed through a combination of targeted phishing and fake third-party app stores – however, they fortunately haven’t been discovered on official app marketplaces, like Google Play.
Four Android Spyware Tools
Each of the four malware tools involved in the campaign has its own unique data gathering priorities and techniques. All four malware families are linked via shared C2 infrastructure, signing certificates as well as code and target overlap, said researchers.
Android surveillanceware tool SilkBean samples are spread mainly via trojanized applications for Uyghur/Arabic focused keyboards, alphabets and plugins. Researchers said that a “hallmark” of SilkBean is its comprehensive RAT functionality, enabling an attacker to execute over 70 different commands on an infected device. These commands include collecting, modifying and sending messages, as well as recording the device screen.
Another spyware tool used in the campaign, DoubleAgent, was first publicly exposed in 2013. However, new samples of DoubleAgent found in this recent campaign reveal that the malware is continuing to evolve and use new infrastructure, according to researchers.
While earlier versions of DoubleAgent used FTP servers as staging areas for exfiltrated content, and required victims to authenticate with credentials, these newer versions of DoubleAgent would upload unencrypted files directly to the C2 servers using TCP sockets, researchers said.
“Titles also suggest targeting of the DoubleAgent family has included the Uyghur population, with these most recent samples masquerading as third-party Android app stores (islamapk[.]com and yurdax[.]com) serving Uyghur-focused applications and overlapping with C2 content seen when investigating SilkBean,” said researchers.
The third malware utilized, CarbonSteal, has been tracked by Lookout researchers since 2017, with more than 500 samples being discovered to date. The spyware has capabilities for “extensive” audio recording functionality in a variety of codecs and audio formats. It also has the ability to control infected devices through specially crafted SMS messages.
“Attackers can also perform audio surveillance through the malware’s ability to silently answer a call from a specific phone number and allow the attacker to listen in to sounds around an infected device,” said researchers.
Samples of the final spyware sample used in the campaign, GoldenEagle, appeared as early as 2012, making it one of the longest-running surveillanceware families that Lookout researchers say they’ve observed to date. GoldenEagle has various spyware functionalities, including sniffing out contact info, call history and installed apps, taking screenshots, location tracking and getting messages from China messaging services like WeChat.
Researchers also warned that the APT behind the campaign has extended its campaign beyond China over the years, targeting at least 14 different countries.
“We noticed that campaigns by this [mobile APT] are also active outside of China, based on the languages and services targeted by the malware samples,” they said. “For example, titles such as ‘Turkey Navigation’, ‘A2Z Kuwait FM Radio’, ‘ اخبار سوريا’ (‘Syria(n) News’) may suggest targets in Turkey, Kuwait and Syria respectively.”
The APT behind this campaign is connected to previously reported desktop APT activity in China, which is linked to GREF, a China-based threat actor also known as APT15, Ke3chang, Mirage, Vixen Panda and Playful Dragon, said researchers. For instance, infrastructure publicly associated with the actor known as GREF in 2018 has been found to be linked directly to CarbonSteal samples.
The group was also previously spotted in 2017, in campaigns against the U.K. government and military, and then in 2018, mounting a highly targeted spy campaign using an upgraded version of the Mirage remote access trojan.
“Given the overlaps of C2 infrastructure, it appears plausible that these three families have the same developer and targets,” said researchers. “This belief … leads Lookout researchers to believe that SilkBean, PluginPhantom, and now CarbonSteal, can be tied to this [mobile APT] threat.”