Researchers uncover year-long mobile spyware campaign targeting Uyghurs

mobile spy software

A new wave of mobile surveillance campaign has been seen targeting the Uyghur community in a long-running spyware operation that has been active since at least 2015, cybersecurity researchers revealed on Thursday.

The intrusions, initially attributed to a threat actor named scarlet mimicry in January 2016, allegedly encompassed 20 different variants of the Android malware, which were disguised as a book, images and an audio version of the Quran.

The malware, although relatively unsophisticated from a technical point of view, has extensive capabilities to steal sensitive data from an infected device, send SMS messages on behalf of the victim, make phone calls and track their location.

cyber security

Moreover, it allows recording of incoming and outgoing phone calls as well as surrounding audio.

“All of this makes it a powerful and dangerous surveillance tool,” said Israeli cybersecurity firm Check Point. said in a deep technical analysis, calling the spyware MobileOrder.

It should be noted that part of the campaign was recently revealed by researchers from the MalwareHunterTeam and Cyblein which a book written by exiled Uyghur leader Dolkun Isa was used as a decoy to spread the malware.

mobile spy software

Check Point said it observed MobileOrder artifacts in the wild from 2015 through mid-August 2022, with the exception of 2021, when none were detected.

Attack campaigns likely involve the use of social engineering tactics to trick unsuspecting victims into launching malicious apps that reference seemingly innocuous documents, photos, and audio files.

These apps contain a variety of bait, including a PDF on guerrilla warfare and images related to guerrilla warfare. deployment of paramilitary forces in Ürümqi, the capital of the Xinjiang Uyghur Autonomous Region, the day after the deadly attack of April 2014.

Opening the malicious application, in turn, launches a decoy document designed to prevent the target from noticing malicious actions in the background.

“Some of the builds also ask for Device Admin and root access, which not only gives the malware full access to the device, but also prevents the victim from easily uninstalling the app,” the researchers said.

cyber security

Other features supported by MobileOrder include running a remote shell and even removing additional Android Package (APK) files.

The attribution of the campaign to Scarlet Mimic, by Check Point, stems from clear code overlaps, shared infrastructure, and the same patterns of victimology.

Additionally, continued use of MobileOrder signals a shift in the attack vector from desktop surveillance to mobile surveillance, with the actor previously linked to Windows malware called Psylo Trojan.

While it’s unclear which of these attacks over the past seven years have been successful, the very fact that malware authors continue to deploy the spyware is an indication that some of these efforts have paid off.

“The persistence of the campaign, the evolution of malware, and the persistent focus on targeting specific populations indicate that the group’s operations over the years are succeeding to some degree,” Check Point said.

You may also like

Leave a Comment

About Us

Times Global Will keep you updated To the Latest News Around The Globe..

Feature Posts


Subscribe my Newsletter for new blog posts, tips & new photos. Let's stay updated!

Subscribe To our Newsletter

Join our subscribers list and get Latest News directly to your inbox.