Friday, March 29, 2013

Tibetan Activists Targeted by Phishing Attack Toting Android Trojan

Android TrojanPhishing attacks targeting Tibetan activists aren’t anything new, and there have been a variety of malware spam campaigns affecting both Windows and OS X systems in recent months.

It appears as though the dangers have spilled over into the mobile world, however,  as Kaspersky Lab recently spotted a new spam campaign spreading malicious APKs – or Android applications.

Researchers say that the perpetrators hacked into the email account of a “high-profile Tibetan activist” & used it to fire off spam messages like the one below to other activists:

WUC Conference in Geneva



Subject: WUC’s Conference in Geneva

22 March 2013 World Uyghur Congress

In what was an unprecedented coming-together of leading Uyghur, Mongolian, Tibetan and Chinese activists, as well as other leading international experts, we were greatly humbled by the great enthusiasm, contribution and desire from all in attendance to make this occasion something meaningful, the outcome of which produced some concrete, action-oriented solutions to our shared grievances. The attachment is a letter on behalf of WUC, UNPO and STP.

Attached to the email is an APK file, WUC’s Conference.apk that, when installed on the recipient’s Android device, will populate an app named “Conference” in the app drawer.

When launched, the app displays text to the end-user related to the upcoming event, and proceeds to connect to its command and control server  in the background. At that point, the Trojan siphons the following data from the device and relays it back to its operators upon command:

  • Contacts (stored both on the phone and the SIM card).

  • Call logs.

  • SMS messages.

  • Geo-location.

  • Phone data (phone number, OS version, phone model, SDK version).


The C&C for the Trojan, which Kaspersky detects as Backdoor.AndroidOS.Chuli.a has a Los Angeles, CA based IP address, 64.78.161.133.

Researchers noted that the domain, DlmDocumentsExchange.com has previously been associated with that IP. The domain name was registered to a Chinese address on March 8th, and serves up a similar APK file with text discussing the disputed “Senkaku Islands / Diaoyudao Islands / Diaoyutai Islands” written in Chinese. That, plus the fact that the public-facing admin interface and server’s operating system are in Chinese, leads researchers to believe that the attackers are at least Chinese-speaking.

Either way, the attack would be unsuccessful without user-interaction, and can be easily avoided as a result.

As always, users are advised not to download or install Android applications distributed via email, SMS, or any untrusted sources, and always vet apps - even when downloaded from the Google Play store.

Don’t miss out on the latest tech news and computer security alerts! Follow us on Twitter at @hyphenet,  “Like” us on Facebook or add us to your circle on Google+

No comments:

Post a Comment