Fake Tor browser in China contained hidden spyware: report

Researchers discovered spyware bundled inside a fake version of the anonymising Tor browser advertised in China, according to a new Kaspersky Labs report.

Tor, a popular open source software that provides users anonymity and makes it more difficult to trace their internet activity, is blocked by China’s Great Firewall. People inside the country often attempt to access the software by downloading it from third-party websites.

Kaspersky researchers discovered one of these Tor installers advertised on a popular Chinese-language YouTube channel that focused on internet anonymity. But the installer was malicious, gathering “data that can be used to identify the victims” — undermining the very anonymity that users in China are turning to the browser for.

The researchers also found that it did not “automatically collect user passwords, cookies or wallets,” which would be of interest to criminal hackers — suggesting that the installer may have been developed for government surveillance.

The YouTube channel that advertised the malicious installer has more than 180,000 subscribers, and the video that featured it has received more than 64,000 views since it was posted in January, Kaspersky said. Kaspersky could not say how many people have installed the fake software, but added that its telemetry identified victims beginning in March.

Tor, named for The Onion Router, normally hides internet traffic from countries that perform traffic analysis or network surveillance on communications data by encrypting it and routing it through a volunteer network of relays. Because these relays conceal what websites people are visiting, the browser could be used inside China to circumvent the government’s extensive surveillance and censorship technologies, which are associated with the country’s strict intolerance for political dissent.

Kaspersky warns that the malicious version of the browser, which they have named OnionPoison, operated differently from the regular version by storing browsing history and data entered into website forms. It also contains a library infected with spyware that allows the attackers to search “exfiltrated browser histories for traces of illegal activity, contact the victims via social networks and threaten to report them to the authorities.”

Infections appear to be geographically limited to China, the security researchers added, with the command and control server checking that the victims are connecting from a Chinese IP address, but it is not clear who is behind the operation.

Kaspersky’s researchers wrote: “Regardless of the actor’s motives, the best way to avoid getting infected with OnionPoison implants is to always download software from official websites. If that’s not an option, verify the authenticity of installers downloaded from third-party sources by examining their digital signatures.”