Mar 28, 2013

Tibet: Spear-Phishing Attack Through Android App

A spear-phishing attack that mainly targets Uyghur and Tibetan human rights activists by installing a malicious Android application, has been detected by Kaspersky Lab.

Below is an article published by SC Magazine:

According to research by Kaspersky Lab experts Costin Raiu, Kurt Baumgartner and Denis Maslennikov, targeted messages were sent to activists and human rights advocates after the email account of a high-profile Tibetan activist was hacked.

The messages that were sent, included an APK attachment, and a malicious program for Android, which downloaded "WUC's Conference.apk" that Kaspersky Lab believed to be deliberately related to the World Uyghur Conference and said the attachment was a letter on behalf of the organisers. The conference took place earlier this month in Geneva.

If a recipient opens the attachment, it displays a letter while malware secretly reports the infection to a command-and-control (C&C) server and sends out data including: contacts (stored both on the phone and the SIM card); call logs; SMS messages; geolocation data; and phone data (phone number, OS version, phone model, SDK version).

Kaspersky Lab said that despite there being hundreds, if not thousands, of targeted attacks against Tibetan and Uyghur supporters, the vast majority of these target Windows machines through Word documents exploiting known vulnerabilities such as CVE-2012-0158, CVE-2010-3333 and CVE-2009-3129.

“In this case, the attackers hacked a Tibetan activist's account and used it to attack Uyghur activists. It indicates perhaps an interesting trend that is exploiting the trust relationships between the two communities,” the researchers said.

“The current attack took advantage of the compromise of a high-profile Tibetan activist. It is perhaps the first in a new wave of targeted attacks aimed at Android users. So far, the attackers relied entirely on social engineering to infect the targets. History has shown us that, in time, these attacks will use zero-day vulnerabilities, exploits or a combination of techniques.”