July 2, 2020

Chinese Surveillanceware

How Lookout Detects and Protects Against Surveillanceware Campaigns

Lookout Security Intelligence teams are continuously discovering and researching new threats to protect and advise our customers by combining static and dynamic analysis with our machine learning engine. Devices with Lookout installed can detect and will alert users and Mobile Endpoint Security administrators to SilkBean, DoubleAgent, CarbonSteal and GoldenEagle. Lookout also protects against other sophisticated surveillanceware that could go undetected, allowing threat actors to gather sensitive corporate and personal data.

Key Findings

  • Development timeline aligns with Chinese national security directives.
  • Advanced mobile surveillanceware targeting users in at least 14 countries.
  • Languages targeted: Uyghur, Russian, English, Arabic, Chinese, Turkish, Pashto, Persian, Malay, Indonesian, Uzbek and Urdu/Hindi.

Background and Discovery Timeline

The Lookout Threat Intelligence team discovered four Android surveillanceware tools used to target the Uyghur ethnic minority group. Our research indicates these four interconnected malware tools are elements of much larger mAPT (mobile advanced persistent threat) campaigns that have been active since at least 2013. Lookout researchers have been monitoring the development and spread of the surveillanceware families - SilkBean, DoubleAgent, CarbonSteal and GoldenEagle - for years in order to protect customers against these sophisticated threats.

Capabilities and Affected Parties

The apps fall into four separate malware families, each of which has its own unique data gathering priorities and techniques. We named these families SilkBean, DoubleAgent, CarbonSteal and GoldenEagle. The primary goal is to gather intelligence to monitor individuals and use their sensitive data to establish a pattern of life for targets. Application titles and in-app functionality of the malware samples suggest the targets are the Uyghur Muslim ethnic minority group, centered in Xinjiang, China. However, these apps were present in at least 15 countries. Some apps and C2 domains appear to impersonate third-party Uyghur language app stores and focus on Uyghur-targeted apps and services. The development timeline and targeting of these families appear to align with Chinese national security directives and “counter-terrorism” efforts as defined by the Chinese government, perhaps suggesting a broader reach.

Authors

Lookout

Cloud & Endpoint Security

Lookout, Inc. is the data-centric cloud security company that uses a defense-in-depth strategy to address the different stages of a modern cybersecurity attack. Data is at the core of every organization, and our approach to cybersecurity is designed to protect that data within today’s evolving threat landscape no matter where or how it moves.

Platform(s) Affected
Android
Threat Type
Spyware
Entry Type
Threat Guidances
Threat Type
Malware
Platform(s) Affected
Android
Spyware
Threat Guidances
Malware

Stop Cyberattacks Before They Start With Industry-Leading Threat Intelligence.

HeaderHeaderHeaderHeader
CellCellCellCell
CellCellCellCell
CellCellCellCell
CellCellCellCell