2-Extended Analysis-Full

Recommendations

Info

Communities @ Risk 37EXTENDED ANALYSIS: 2.2 Cluster AnalysisMobile MalwareBACKGROUNDThe use of malware targeting mobile platforms in espionage campaigns is relativelyrare, but is likely a vector that will become more common due to the increasing ubiquityof mobile computing.During investigations of C2 servers associated with the Luckycat campaign, TrendMicro found two malicious Android APKs in early stages of development that couldcollect device information, as well as download and upload files by remote command.Based on the available information, it was unclear how the attackers intended todeliver the mobile malware to targets.In 2013, researchers at Kaspersky reported the compromise of an email account of ahigh-profile Tibetan activist that was then used by attackers to send targeted malwareto the activist’s contacts. The emails referenced the World Uyghur Congress andincluded a malicious APK file that appeared to be an application with information onthe event. The malware allowed attackers to collect data from infected devices includingcontacts, call logs, SMS messages, geolocation, and phone data (phone number, OSversion, phone model, and SDK version).Researchers in our group have also found evidence of commercial surveillance productsthat target multiple mobile platforms (e.g., Android, IOS, BlackBerry, Symbian)developed by Hacking Team and FinFisher.In other recent work, researchers found that participants in the Occupy Central protestsin Hong Kong received links through WhatsApp to an Android application thatappeared to be associated with the protest organizers, but was actually malware thatcould send a variety of information back to attackers.In our study, we identified the use of compromised Android applications sent as part ofa targeted attack against a prominent figure in the Tibetan community. This attack lever-
Communities @ Risk 38EXTENDED ANALYSIS: 2.2 Cluster Analysisaged a genuine email that was likely exfiltrated by attackers, and attached compromisedversions of the chat application KakaoTalk and mobile radio application TuneIn. 6VECTOR OF ATTACKOn December 4, 2012, an information security expert who works within the Tibetancommunity sent a private email to a member of the Tibetan Parliament in Exile,based in Dharamsala, India. That email attached genuine versions of Kakao Talk 7 andTuneIn 8 as APK files.On January 16, 2013, an email purporting to be from this same information securityexpert was sent to a high profile political figure in the Tibetan community. The emailcontained the same text as the message from December 4, but attached compromisedversions of the Kakao Talk and TuneIn Android APKs.In order for the malware to be installed, the user must permit applications to be installedfrom sources other than the Google Play store. This permission is not enabledby default in Android. However, as many members of the Tibetan community (particularlythose living in Tibetan areas in China) have restricted access to the Google Playservice, they are required to permit applications to be installed from outside sources. Itis common for APKs to be circulated outside of Google Play. In addition to permittingthe “allow from unknown sources” option, the user must also approve the additionalpermissions requested by the application. Users may be duped into accepting thesepermissions by assuming they are required for the regular functionality of the applicationor by not reviewing them carefully before approving. Once these permissions areapproved, they are used to authorize the additional data-gathering capabilities of themalware, which is configured to autostart on device boot.We later confirmed that the original recipient of the legitimate email had his emailaccount compromised. Therefore, it appears likely that the attackers harvested the6 We previously reported this attack in a blog post, Citizen Lab, “Permission to Spy: An Analysis of Android Malware TargetingTibetans,” April 18, 2013, https://citizenlab.org/2013/04/permission-to-spy-an-analysis-of-android-malware-targeting-tibetans.See a Tibetan translation of this post here: https://citizenlab.org/2013/04/android-malware-in-tibetan.7 KakaoTalk is a chat app that is developed by a South Korean company (Kakao Corporation). Members of the Tibetan communityhave used KakaoTalk and other applications as alternatives to WeChat (another chat app popular in Asia) after concerns wereraised regarding that application’s general security and the potential for Tencent (the China-based developer of WeChat) to monitorusers at the behest of the Chinese government.8 TuneIn is a media player application for listening to Internet Radio. TuneIn is used by Tibetans to listen to streams such as Voiceof America’s Tibetan service, to engage with their culture, and to stay on top of world news.
Page 2 and 3: EXTENDED ANALYSIS:2.1Summary, Metho
Page 4 and 5: Communities @ Risk 3EXTENDED ANALYS
Page 12 and 13: Communities @ Risk 11EXTENDED ANALY
Page 20 and 21: Communities @ Risk 19EXTENDED ANAL
Page 30 and 31: EXTENDED ANALYSIS:2.2Cluster Analys
Page 64: Communities @ Risk 63EXTENDED ANALY
Page 89 and 90:
Communities @ Risk 88EXTENDED ANALY
Page 91 and 92:
Page 93 and 94:
Page 95 and 96:
Page 97 and 98:
Page 99 and 100:
Page 101 and 102:
Communities @ Risk 100EXTENDED ANAL
Page 103 and 104:
Page 105 and 106:
Page 107 and 108:
Page 109 and 110:
EXTENDED ANALYSIS:2.3Civil Society
Page 111 and 112:
Page 113 and 114:
Communities @ Risk 112duced new ris
Page 115 and 116:
Page 117 and 118:
Page 119 and 120:
Page 121 and 122:
Page 123 and 124:
Page 125:
show all

2-Extended Analysis-Full

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?