Phishing emails targeting Tibetan and Uyghur activists and containing spying malware masquerading as legitimate DOC and PDF files are nothing new, as such spam campaigns have been going on for years.
But it seems that the attackers have finally recognized the fact that many users often access their emails via their mobile phones, as Kaspersky Lab researchers have recently spotted Uyghur-themed emails delivering a malicious program for Android (click on the screenshot to enlarge it):
The offered app is, in fact, a backdoor. Once the user installs and launches it, it presents information about the World Uyghur Congress mentioned in the email, but in the background it contacts a C&C server located in the U.S. and notifies it of the successful infection.
The Trojan then proceeds to harvest information from the device – such as contacts, call logs, SMS messages, geo-location and general phone data (phone model, number, OS and version, etc.) – and posts it to the C&C server.
Both the fact that the source code of the Trojan is peppered with remarks in Chinese and that the C&C server’s IP used to be associated with a domain recently registered by someone (ostensibly) located in Beijing seems to point to Chinese-speaking attackers.
In addition to this, the C&C index page and its publicly accessible interface are also written in Chinese, and its server is running Windows Server 2003 configured for the same language, the researchers point out.
Finally, the C&C’s index page hosts another APK file with the sam functionalities, but different text concerning the China-Japan dispute over the Senkaku Islands to function as a smokescreen for the malicious app’s real intentions.
According to the researchers, the spam email delivering the Android Trojan has been sent from a compromised email account of a Tibetan activist, trying to exploit the trust existing between Tibetan and Uyghur activists.
“Until now, we haven’t seen targeted attacks against mobile phones, although we’ve seen indications that these were in development,” they say, adding that this is perhaps the first in a new wave of targeted attacks aimed at Android users.
Needless to say, users can easily thwart the attack by not installing and running APK attachments – even when they seem to come from trusted sources.