Chinese Surveillanceware
How Lookout Detects and Protects Against Surveillanceware Campaigns
Lookout Security Intelligence teams are continuously discovering and researching new threats to protect and advise our customers by combining static and dynamic analysis with our machine learning engine. Devices with Lookout installed can detect and will alert users and Mobile Endpoint Security administrators to SilkBean, DoubleAgent, CarbonSteal and GoldenEagle. Lookout also protects against other sophisticated surveillanceware that could go undetected, allowing threat actors to gather sensitive corporate and personal data.
Key Findings
- Development timeline aligns with Chinese national security directives.
- Advanced mobile surveillanceware targeting users in at least 14 countries.
- Languages targeted: Uyghur, Russian, English, Arabic, Chinese, Turkish, Pashto, Persian, Malay, Indonesian, Uzbek and Urdu/Hindi.
Background and Discovery Timeline
The Lookout Threat Intelligence team discovered four Android surveillanceware tools used to target the Uyghur ethnic minority group. Our research indicates these four interconnected malware tools are elements of much larger mAPT (mobile advanced persistent threat) campaigns that have been active since at least 2013. Lookout researchers have been monitoring the development and spread of the surveillanceware families - SilkBean, DoubleAgent, CarbonSteal and GoldenEagle - for years in order to protect customers against these sophisticated threats.
Capabilities and Affected Parties
The apps fall into four separate malware families, each of which has its own unique data gathering priorities and techniques. We named these families SilkBean, DoubleAgent, CarbonSteal and GoldenEagle. The primary goal is to gather intelligence to monitor individuals and use their sensitive data to establish a pattern of life for targets. Application titles and in-app functionality of the malware samples suggest the targets are the Uyghur Muslim ethnic minority group, centered in Xinjiang, China. However, these apps were present in at least 15 countries. Some apps and C2 domains appear to impersonate third-party Uyghur language app stores and focus on Uyghur-targeted apps and services. The development timeline and targeting of these families appear to align with Chinese national security directives and “counter-terrorism” efforts as defined by the Chinese government, perhaps suggesting a broader reach.
Authors
Lookout
Lookout is a cybersecurity company that makes it possible for tens of millions of individuals, enterprises and government agencies to be both mobile and secure. Powered by a dataset of virtually all the mobile code in the world -- 40 million apps and counting -- the Lookout Security Cloud can identify connections that would otherwise go unseen and predict and stop mobile attacks before they do harm. The world’s leading mobile network operators, including AT&T, Deutsche Telekom, EE, KDDI, Orange, Sprint, T-Mobile and Telstra, have selected Lookout as its preferred mobile security solution. Lookout is also partnered with such enterprise leaders as AirWatch, Ingram Micro, Microsoft, and MobileIron. Headquartered in San Francisco, Lookout has offices in Amsterdam, Boston, London, Sydney, Tokyo, Toronto and Washington, D.C.
.png)
