7-year Android malware campaign targeted Uyghurs: report
The Uyghur community was targeted with an Android-based malware campaign for over seven years, according to researchers with cybersecurity firm Check Point.
Sergey Shykevich, threat intelligence group manager at Check Point Software, told The Record that the last sample they found dated to the middle of August 2022. The Android spyware is called MobileOrder and has been used in various forms since 2015.
“The scale and the persistence of the campaign is remarkable. Furthermore, the malware has a lot of active capabilities like calls and surround recording, real time geolocation and even the capability to conduct calls and send SMS messages by using the victim's phone,” Shykevich said.
“All of this allows the threat actor behind the campaign to build a great intelligence picture around its targets. We suspect the actor Scarlet Mimic is behind this espionage campaign but don’t know much about who is behind this group. We will continue to monitor the situation.”
In a report released on Thursday, Check Point attributed the campaign to a group they named “Scarlet Mimic.” The campaign uses spear-phishing techniques disguised in Islamic artifacts, such as books, pictures and audio files.
One file seen by researchers was an audio version of the Quran. When opened, the malware is deployed, stealing victim data and tracking their locations. The malware can record audio through smartphones, send SMS text messages, extract browser history and delete evidence of the actions.
Check Point was unable to tie the campaign to any specific country or group but pointed to a 2016 report from Palo Alto Networks about the same malware campaign. Palo Alto said their findings support “an assessment that a group or groups with motivations similar to the stated position of the Chinese government in relation to these targets is involved.”
Since 2016, the hackers behind the campaign introduced several changes to reduce the chances of security software catching the malware. Check Point found at least 20 different variations of the malware.
“CPR researchers are not able to identify whether the attacks have been successful, yet the fact that the group has continued to develop and deploy the malware for so many years suggests that they have been successful, at least, in some of their operations,” the researchers said.
“Most of the malicious applications we observed have names in the Uyghur language, in its Arabic or Latin scripts. They contain different decoys (documents, pictures, or audio samples) with content related to the ethnic geopolitical conflict centered on Uyghurs in China’s far-northwest region of Xinjiang, or with the religious content referencing the Uyghurs’ Muslim identification.”
One sample had a picture of Elqut Alim, the member of a Norway-based group of Uyghur youth advocating against “China’s invasion of East Turkestan.”
Check Point found other samples tied to PDF versions of a military manual from the military wing of Al-Qaeda and a notable book from the current president of the World Uyghur Congress.
The U.S. and some of its allies announced sanctions against the Chinese government in December for its human rights abuses against the Uyghur population, including the detention of millions of Uyghurs in forced labor and reeducation camps.
Facebook said last year that its security team discovered and took down a network of Facebook accounts that were being used by Chinese state-sponsored operatives to hack and compromise the devices of the Chinese Uyghur minority, but also Uyghurs living abroad.
Check Point researchers said the campaign’s evolution was emblematic of actions other governments are increasingly taking.
“This threat group’s shift in attack vector into the mobile sector provides evidence of a growing tendency of extensive surveillance operations executed on mobile devices as the most sensitive and private assets,” the researchers explained.
Jonathan Greig
is a Breaking News Reporter at Recorded Future News. Jonathan has worked across the globe as a journalist since 2014. Before moving back to New York City, he worked for news outlets in South Africa, Jordan and Cambodia. He previously covered cybersecurity at ZDNet and TechRepublic.