China uses phone malware to spy on Uyghurs living abroad, cyber-investigator says

The malware lurks inside phone applications that are popular among Uyghurs living in 14 countries, researchers said.

Published: July 7, 2020 7:39pm

Updated: July 8, 2020 11:26pm

Chinese hackers are spying on Uyghur Muslims around the world, using malware that collects personal information from cell phones, a cybersecurity investigator told Just the News.

The malware lurks inside phone applications that are popular among Uyghurs living in 14 countries, said Kristin Del Rosso, senior security intelligence engineer at Lookout, the San Francisco-based company that found the harmful software. 

The applications — codenamed GoldenEagle, SilkBean, DoubleAgent, and CarbonSteal — were found on one type of system, but could exist on others, Del Rosso said.

“The families we have described (GoldenEagle, SilkBean, DoubleAgent, and CarbonSteal) have only been seen on Android at the moment,” Del Rosso said. “It is possible there is an iOS component, however we do not have data to definitively confirm that.”

The hackers have spied on their targets at least since 2013, according to a statement from the Lookout company. The malware targets Tibetans, but mainly spies on Uyghurs, the company said.

The Uyghurs are an ethnic minority living in Central Asia, in territory known by Uyghurs as East Turkistan and by Beijing officials as the Xinjiang Uyghur Autonomous Region of China.

Primarily Muslim, the Turkic-speaking Uyghurs have lived in the region for some 4,000 years. In 1949, their territory was absorbed by Communist China. 

In recent years, the international community has denounced China for holding more than 1 million Uyghurs and members of other ethnic groups captive, locking them inside concentration camps under brutal conditions. 

Communist Chinese officials reportedly keep close tabs on Uyghurs living inside the autonomous region. Three years ago, though, an exile group warned that Beijing also would use technology to spy on Uyghurs living abroad.

“Email and the internet have created new opportunities to monitor the activities of Uyghur activists, who find themselves frequently targeted by attempts to gain access to their communications,” said the Uyghur American Association in a 2017 statement. “This makes communicating with Uyghurs still in China very risky, as phone calls can be monitored more easily than in the past.”

The warning was accurate, according to the cybersecurity engineer.

“We knew there was already surveillance-ware targeting the region and Uyghur individuals, so hunting around characteristics of that malware or apps that might appeal to that audience provided the foothold into a much larger investigation,” Del Rosso said.

The company searched more than 100 million apps in its dataset, and found malware families with suspicious permissions and capabilities. 

“After uncovering these malware families, we were able to connect them together by reverse engineering their code and closely studying their command and control infrastructure and signing certificates,” Del Rosso said.

In a report on its investigation, Lookout wrote that the applications likely were implanted through target phishing and fake third-party app stores. Based on the languages the apps were written in, investigators concluded that targets were being spied on in 14 countries. These include France, Kuwait, Egypt, Saudia Arabia, Turkey, and Syria. 

The systems appear to align with Chinese security directives, the Lookout report stated. 

The report follows recent press accounts that China has committed atrocities against ethnic Uyghurs. The alleged abuses include forced sterilization, mass incarceration, and torture. 

In June, President Trump signed into law a human rights policy act imposing sanctions for human rights abuses in China's Xinjiang Uyghur Autonomous region, and mandating U.S. government reports on the topic. 

On Monday, Uyghur exiles reportedly asked the International Criminal Court to investigate China for genocide and human rights abuses against the ethnic minority.

Unlock unlimited access

  • No Ads Within Stories
  • No Autoplay Videos
  • VIP access to exclusive Just the News newsmaker events hosted by John Solomon and his team.
  • Support the investigative reporting and honest news presentation you've come to enjoy from Just the News.
  • Just the News Spotlight

    Support Just the News