Following their clampdown on Uighurs living in the Xinjiang province, China has now turned its focus on Tibetan officials and are targeting them with mobile malware, similar to the one used to target Uighurs.
According to researchers at University of Toronto’s Citizen Lab, between November 2018 and May 2019, several senior Tibetan officials were sent malicious links via WhatsApp by attackers disguised as NGO workers and journalists, among others. These links either exploited web browser vulnerabilities or installed spyware on Android and iOS devices. In some cases, they also redirected to OAuth phishing pages.
As first reported by Zack Whittaker for TechCrunch, these exploit codes could give the attackers access to “text messages, contact lists and call logs” as well as the ability to use the device’s camera and microphone.
The researchers found a total of eight browser exploits and one spyware kit for Android, and one exploit chain as well as spyware for iOS. They also mentioned that none of the exploits found was zero-day as they only affected devices running iOS versions 11.0 to 11.4. They also found that iOS exploits and spyware were the same ones used for watering hole attacks against iOS devices, as disclosed by Google. Android exploits used in this attack campaign haven’t been documented earlier.
In the featured image of the article, you can see that the attacker is trying to deceive the victim into clicking on a malicious link.
Also read: Has China turned into a dystopian nightmare?
The Tibetan Computer Emergency Readiness Team (TibCERT), a coalition between Tibetan organisations to improve digital security, shared samples of messages with suspicious links with Citizens Lab. According to the researchers, the exploits are being carried out by a single attacker, which they’re calling Poison Carp.
“The intrusion attempts arrived via WhatsApp messages from seven fake personas designed to appear as journalists, staff at international advocacy organisations, volunteers to Tibetan human rights groups, and tourists to India. The fake personas exclusively used WhatsApp phone numbers with Hong Kong country codes (+852),” the research by Citizen Lab details.
In a total of 15 intrusion attempts detected by the researchers, eight people recall clicking on the malicious link, but none of their devices was affected because they were running a newer non-vulnerable version of Android and iOS.
You can read the entire research by Citizen Labs here.
China has also been in the news for running propaganda ads on Twitter as well as Facebook and other popular social networks, discrediting the protesters in Hong Kong. Learn more about Hong Kong’s protests here.
Last month, Google Chrome, Mozilla Firefox and Apple Safari, alongwith other web browsers, blocked the certificate issued by the Kazakhstan government, which had to be installed by internet users in the country, and could be used to intercept communications on HTTPS connections, even from outside the country.