China accused of spreading Android malware

The Chinese government has often been accused of hacking into computers belonging to other nation states and even individuals, but now evidence has been uncovered that it also uses smartphones to track targets.

A security research company has uncovered evidence of malware targeting Tibetan activists spreading via Android devices, and China is the main suspect.

According to Citizen Lab, a security research group based at the Monk School of Global Affairs at the University of Toronto, the malware is designed to steal text messages and contacts, as well as monitor the user's location.

The group's research has found that the target of this malware was a prominent member of the Tibetan community. According to Citizen Lab a Tibetan security expert sent an email containing a legitimate Android application package file (APK) to a member of the Tibetan parliament-in-exile, based in India. It is likely that person's email account was compromised and the same message was forwarded to another prominent member of the Tibetan community. However, this time the legitimate attachment had been replaced with a compromised app.

The app in question is Kakao Talk, a messaging and chat application developed by a South Korean firm. It is popular with the Tibetan community because it is considered more secure than a similar app called WeChat          , which is developed by a Chinese company called Tencent. Users were worried that the Chinese government would be able to monitor communications through WeChat.

Citizen Lab said the compromised version of Kakao Talk worked in the same way as the legitimate app but contained a much longer list of permission requests. As Citizen Lab points out, Tibetan activists often circumvent the official Google Play app store to get around restrictions placed on it. This leaves them more open to the possibility of installing malicious apps.

The compromised app would periodically download the user's contacts, call history, SMS messages and cellular network configuration to an encrypted file, which is then sent to the attacker.

Another aspect of the compromised app, which Citizen Lab calls “troubling and curious”, is its ability to intercept text messages and search them for a specific code sent by the attacker. If it is detected, the app replies to the text giving technical information such as the base station ID, tower ID, mobile network code and mobile area code. It does all this without the user's knowledge.

“This information is only useful to actors with access to the cellular communications provider and its technical infrastructure, such as large businesses and government,” the blog explains. “It almost certainly represents the information that a cellular service provider requires to initiate eavesdropping, often referred to as ‘trap & trace'. Actors at this level would also have access to the data required to perform radio frequency triangulation based on the signal data from multiple towers, placing the user within a small geographical area.”

Although Citizen Lab refrains from accusing China directly it seems clear that is where the suspicion lies. Not only has the Chinese government been accused of being too close to the country's telecoms providers but its attitude towards Tibetan activists is well known.

Speaking to Forbes, Citizen Lab director Ron Deibert was more explicit in his accusation. “We don't have a smoking gun that this is the Chinese government. But let's face it, when you add it all up, there's really only one kind of organisation for whom this information is useful. And we know that the Chinese have a very strong interest in tracking Tibetans, so it's a strong set of circumstantial evidence.”

It is the second time in a matter of days that Android malware targeting Tibetans has been uncovered. Kaspersky Lab revealed details of a very similar attack, although Citizen Lab claims the two are not technically related.

Attacks on Tibetan activists are not rare, but before these two examples the vast majority had been Windows-based attacks. “These examples demonstrate the risks communities face from targeted mobile malware. Attackers will continue to adopt new methods and widen targeting of platforms,” Citizen Lab warned.

Sign up to our newsletters