Researchers Uncover Years-Long Mobile Spyware Campaign Targeting Uyghurs

A new wave of a mobile surveillance campaign has been observed
targeting the Uyghur community as part of a long-standing spyware
operation active since at least 2015, cybersecurity researchers
disclosed Thursday.

The intrusions, originally attributed to a threat actor named
Scarlet Mimic^[1]
back in January 2016, is said to have encompassed 20 different
variants of the Android malware, which were disguised as book,
pictures, and an audio version of the Quran.

The malware, while relatively unsophisticated from a technical
standpoint, comes with extensive capabilities to steal sensitive
data from an infected device, send SMS messages on the victim’s
behalf, make phone calls, and track their locations.

Additionally, it allows the recording of incoming and outgoing
phone calls as well as surrounding audio.

“All this makes it a powerful and dangerous surveillance tool,”
Israeli cybersecurity firm Check Point said^[2]
in a technical deepdive, calling the spyware
MobileOrder.

It’s worth noting that a part of the campaign was recently
disclosed by researchers from the MalwareHunterTeam and Cyble^[3], in which a book written
by the exiled Uyghur leader Dolkun Isa was used as a lure to
deliver the malware.

Check Point said it observed MobileOrder artifacts in the wild
right from 2015 to mid-August 2022, with the exception of 2021,
when none were detected.

Attack campaigns likely involve the use of social engineering
tactics to trick unsuspecting victims into launching malicious
applications that reference seemingly innocuous documents, photos,
and audio files.

These apps contain a variety of baits, including a PDF about
guerrilla warfare and pictures related to the deployment of paramilitary forces^[4] in Ürümqi, the capital
of the Xinjiang Uyghur Autonomous Region, in the aftermath of the
deadly April 2014 attack^[5].

Opening the rogue app, in turn, launches a decoy document
designed to distract the target from noticing the malicious actions
in the background.

“Some of the versions also ask for Device Admin and root access,
which not only gives the malware full access to the device, but
also prevents the victim from easily uninstalling the application,”
the researchers said.

Other features supported by MobileOrder include executing a
remote shell and even dropping additional Android Package (APK)
files.

The campaign’s attribution to Scarlet Mimic, per Check Point,
stems from clear code overlaps, shared infrastructure, and the same
victimology patterns.

Furthermore, the ongoing use of MobileOrder signals a shift in
attack vector from desktop to mobile surveillance, what with the
actor previously linked to a Windows malware called Psylo
Trojan.

While it’s not clear which of these attacks throughout the past
seven years have been successful, the very fact that the malware
authors are continuing to deploy the spyware is an indication that
some of these efforts have paid off.

“The persistence of the campaign, the evolution of the malware
and the persistent focus on targeting specific populations indicate
that the group’s operations over the years are successful to some
extent,” Check Point said.