In a report released today, cyber security company Lookout said it had found evidence linking Android malware used to spy on minorities in China to a large contractor working on various government projects in the Chinese city of Xi'an. The Lookout report describes a hacking campaign that for years has targeted mainly the ethnic Uighur minority living in western China, but also the Tibetan community, to a lesser extent.
The campaign infects people in these communities with malware, allowing government hackers to monitor the activities of minority communities in China's border areas, as well as those living abroad in at least 14 other countries.
"The activity of these surveillance campaigns has been observed since 2013," said Lookout researchers.
The company attributed this secret monitoring to a hacking team that believes it is acting on behalf of the Chinese government.
Some of the group's previous hacking actions have been documented by other cybersecurity companies, and the group is already known in industry circles with different code names, such as APT15, GREF, Ke3chang, Mirage, Vixen Panda and Playful Dragon.
The vast majority of previous APT15 attacks involved malware designed to infect Windows desktop, but Lookout said the team also developed an Android hacking toolbox.
Well-known hacking tools include executives malware identified as HenBox, PluginPhantom, Spywaller and DarthPusher. In addition, Lookout said it has discovered four new ones, named SilkBean, DoubleAgent, CarbonSteal and GoldenEagle.
Lookout said it unquestionably links these new Android malware executives to previous Android APT15 hacking tools due to shared infrastructure and the use of the same digital certificates to sign various samples.
To distribute the malware, Lookout said that APT15 did not upload the applications to the Google Play Store, but instead used a technique known as attack.watering hole", Where they hacked legitimate websites and entered maliciously code in these. Malicious code redirects users to websites, forums, app stores and other sites. On these pages users are asked to download and install applications infected with the malware APT15.
However, Lookout said that in the early stages of its search for the new malware APT15, they found a command and control server for the GoldenEagle spy software that had not been protected.
Security investigators said they had gained access to the server and collected information about the victims and the operators who manage the malware.
Looking at the log files, Lookout said it found data from the first devices infected with GoldenEagle. When Lookout searched for the coordinates of these infected devices, it found that most were around a single area.
Lookout said the GPS coordinates came from a building that houses the offices of Xi'an Tianhe Defense Technology, a major contractor in Xi'an, central China.
The fact that Lookout linked a sample of APT15 malware to a Chinese contractor is not a new discovery. From 2017 to 2019, four other Chinese state hacking teams have been linked to contractors hired by Chinese intelligence services operating in various regional offices.