The malicious apps mimicked so-called virtual private networks, which are used to set up secure web connections and view prohibited content inside China. They also targeted apps frequently used by Uighurs for shopping, video games, music streaming, adult media and travel booking, as well as specialized Uighur keyboard apps. Some offered Uighurs beauty and traditional-medicine tips. Others impersonated apps from Twitter, Facebook, QQ — the Chinese instant messaging service — and the search giant Baidu.
Once downloaded, the apps gave China’s hackers a real-time window into their targets’ phone activity. They also gave China’s minders the ability to kill their spyware on command, including when it appeared to suck up too much battery life. In some cases, Lookout discovered that all China’s hackers needed to do to get data off a target’s phone was send the user an invisible text message. The malware captured a victim’s data and sent it back to the attackers’ phone via a text reply, then deleted any trace of the exchange.
In June 2019, Lookout uncovered Chinese malware buried in an app called Syrian News. The content was Uighur focused, suggesting China was trying to bait Uighurs inside Syria into downloading their malware. That Beijing’s hackers would track Uighurs to Syria gave Lookout’s researchers a window into Chinese anxiety over Uighur involvement in the Syrian civil war. Lookout’s researchers found similarly malicious apps tailored to Uighurs in Kuwait, Turkey, Indonesia, Malaysia, Afghanistan and Pakistan.
Researchers at other security research groups, like Citizen Lab, had previously uncovered various pieces of China’s mobile hacking campaign and linked them back to Chinese state hackers. However, Lookout’s new report appears to be the first time researchers were able to piece these older campaigns with new mobile malware and tie them to the same groups.
“Just how far removed the state is from these operations is always the open question,” said Christoph Hebeisen, Lookout’s director of security intelligence. “It could be that these are patriotic hackers, like the kind we have seen in Russia. But the targeting of Uighurs, Tibetans, the diaspora and even Daesh, in one case, suggests otherwise,” he added, using another term for the Islamic State.
One clue to the attackers’ identities came when Lookout’s researchers found what appeared to be test versions of China’s malware on several smartphones that were clustered in and around the headquarters of the Chinese defense contractor Xi’an Tianhe Defense Technology.
A large supplier of defense technology, Tianhe sent employees to a major defense conference in Xinjiang in 2015 to market products that could monitor crowds. As a surveillance gold rush took over the region, Tianhe doubled down, establishing a subsidiary in Xinjiang in 2018. The company did not respond to emails requesting comment.