Security researchers detected a surge of sophisticated targeted attacks that originate from the well-known APT15 hacking group. The targets appear to be the Uyghur community living in China and following the incidents analysis it appears that the criminals may be linked to a state government contractor. The main tools used to launch the attacks are Android malware apps.
The APT15 Hackers Attack Set On Against the Uyghur Chinese Minority Using Android Spyware
The recent involvement of the APT15 hacking group in coordinated large-scale intrusions appears to be done using well-known Android spyware. The findings also indicate that the active campaign is known to have been active since at least 2013. This is evident from the fact that the four Android spyware have been known to have been used as weapons back in 2015.
What we know about the APT15 hackers is that over the years they have reached a reputation of being one of the formidable criminal groups in the Asia region. This large-scale attack is organized against the local Uyghur ethnic minority in China along with the Tibetans who also reside in the country. The activity of the hacking group is associated with desktop threats as well — the attacks of the hackers are not solely tied to only mobile threats. The victims speak a lot of languages across the regions they inhabit, for this reason the malware are programmed to be compatible with them:
Uyghur (in all its four scripts:
Arabic, Russian, Uyghur Cyrillic and Chinese), English, Arabic, Chinese, Turkish, Pashto, Persian, Malay, Indonesian, Uzbek, and Urdu/Hindi.
One of the reasons why this attack is seen as very effective is because the various interlinked Android malware use shared infrastructure that is coordinated by the criminals. What we know about the attack campaign is that the main goal is to gather personal information. they will be gathered by the built-in engine and then sent over to the hackers using a specially established connection.
Further Details About The APT15 Campaign: Overview of the Android Spyware Tools
The dangerous campaign focuses on the use of four Android spyware tools which have been detected by the researchers.
The first one is the SilkBean which was analyzed last year when its use peaked in use by the hackers. This is categorized as a Remote Access Trojan which when installed allow the criminals to execute over 70 different types of commands. It is delivered via a payload carrier — infected applications which can be placed in various repositories, file-sharing networks and also posted on the official Google Play site with fake or stolen credentials. In this regard one of the main tactics employed by the hackers will be embed the virus code in Islam related applications.
SilkBean is installed in a several-stage deployment masked in a keyboard mobile application. When it is installed in the smart device it will ask the user to install an update and this is used to deploy a virus in the background. This hidden engine will run the Trojan horse infection. Not only will this allow the hackers to overtake control of the machines, but also to hijack different types of information—personal user information, system data and application data and cache. Trojan code will allow the criminals to also steal user data and modify device settings.
DoubleAgent is the second Android malware which is used by the hackers. The confirmed samples indicate that it was found in virus-infected copies of the KakaoTalk app. In other cases this malware has been identified in local community apps. Its malware code is encrypted and also includes Trojan capabilities. It uses complex character patterns in order to disguise its commands which can be relayed from the hackers from the remote servers down to the infected devices. An excerpt of some of the most popular commands include the following:
- Files Retrieval and Uploading of Malware Data
- Data Extraction
- Database and Application Data Theft
- Settings Modification
DoubleAgent includes ability to log code in an internal database which can then be uploaded to the hacker-controlled server. Application data of popular software which will be hijacked include the following:
Talkbox, DiDi, Keechat, Coco, Voxer, WhatsApp, Airetalk, Viber, Telegram, Zello, Skype, QQ, MicroMsg, MagicCall, BBM
CarbonSteal is another Android spyware which is used by the hackers. This is a particularly dangerous threat as it uses signed certificates in order to mask itself as a legitimate application. This is a spyware app that dates back to 2017 and embedded in more than 500 types of payload carriers. Regarding the surveillance features the attackers have include advanced code that can execute audio recording (from the built-in microphones). It can also control applications via SMS messages that are received and noted by the locally installed engine.
In comparison with other similar threats CarbonSteal is described as a highly sophisticated threat to the ability to decrypt and encrypt each module it contains. This allows it to bypass most security program scans:
- Retrieval of call logs, SMS/MMS messages
- Retieval of device information such as the following: model meta data, manufacturer, product, sdcard size, memory, disk usage information, cpu information and etc.
- Retrievala of QQ content and a list of the installed application
- MiCode data theft
- Live location data Retrieval
- SMS messages data retrieval and execution of commands
- Remote audio recording
- Searching for multimedia files from the internal and external storage
- Network status information retrieval
- Login at device startup
- Loading of dynamic content
The CarbonSteal Android spyware can be used to install other viruses to the compromised machines and also install itself in a way which will also work when power saving is enabled.
The last Android spyware which is used by the APT15 hackers is called GoldenEagle which is known to researchers since 2012 where the first known samples of it were detected. Over the years this malware has been updated with newer features. The majority of attacks are carried by infected apps including the following:
Sarkuy, Tawarim, uyhurqa, kirgzxvx, yeltapan air, TIBBIYJAWHAR, Hawar.cn News, Nur.cn News and Uyghur Quran
Before carrying out further actions one of the first commands that are launched by the engine include basic data theft — call logs, SMS messages and contacts. The information will be saved to a text file which will be relayed to a hacker-controlled server.
Feature-rich and updated versions of the GoldenEagle Android spyware can be commanded to execute other actions. Examples include the downloading and running of malicious apps. The status of all installed and running apps and processes can be extracted and sent to the remote attackers. Extended files and information can be hijacked—the data which is downloaded from the remote servers includes multimedia content and device usage metrics. Full surveillance capabilities will be included – recording audio, calls, screen recordings and screenshots. Along with the ability to hijack data contained on the file system and external storage and reading live location data this makes for a very formidable Trojan type infection.
This effective campaign made by the APT15 hacking group shows how a highly organized hacking collective can devise and organize such a complex campaign. In relation to this Android users should be extra careful and only install trusted applications watching out for malware impersonating programs on the repositories.
Martin Beltov
Martin graduated with a degree in Publishing from Sofia University. As a cyber security enthusiast he enjoys writing about the latest threats and mechanisms of intrusion.
Follow Me: