Facebook said it had halted a hacking operation that used the social media platform to spread malware to iOS and Android that spied on the Uighur people in the Xinjiang region of China.
The malware for both mobile operating systems had advanced features that could steal just about anything stored on an infected device. The hackers, who the researchers linked to groups working on behalf of the Chinese government, planted the malware on websites frequented by activists, journalists and dissidents who originally came from Xinjiang and then moved abroad.
“This activity had the marks of a persistent and well-resourced operation while overshadowing whoever is behind it,” wrote Mike Dvilyanski, Facebook’s head of cyber espionage investigations, and Nathaniel Gleicher, head of the company’s security policy, in a post on Wednesday. “On our platform, this cyber espionage campaign was manifested mainly in sending links to malicious websites, rather than directly sharing the malware itself.”
Infecting iPhones for years
Hackers sowed websites with malicious JavaScript that could surreptitiously infect target iPhones with complete malware that Google and security company Volexity profiled in August 2019 and last April. Hackers exploited a number of iOS vulnerabilities to install the malware, which Volexity called Insomnia. The researchers refer to the group of hackers as Earth Empusa, Evil Eye or PoisonCarp.
Google said that at the time that some of the exploits were used, they had zero days, which means they were highly valuable because they were unknown to Apple and most other organizations around the world. These exploits worked on iPhones running iOS versions 10.x, 11.x, 12.0 and 12.1. Later, Volexity found exploits that worked on versions 12.3, 12.3.1 and 12.3.2. Together, the exploits have given hackers the ability to infect devices for more than two years. The Facebook post shows that even after being exposed by the researchers, the hackers remained active.
Insomnia was able to filter data from a range of iOS applications, including contacts, GPS and iMessage, as well as third-party offers from Signal, WhatsApp, Telegram, Gmail and Hangouts. To keep hacking hidden and prevent Insomnia from being discovered, exploits were only delivered to people who passed certain checks, including IP addresses, OSesd, browser and country and language settings. Volexity provided the following diagram to illustrate the exploit chain that has successfully infected iPhones.
Volexity
An extensive network
Evil Eye used fake apps to infect Android phones. Some sites have imitated third-party Android app stores that have published Uighur-themed software. Once installed, trojanized apps infected devices with one of two types of malware, one known as ActionSpy and the other called PluginPhantom.
Facebook also cited two China-based companies that said they had developed some of the malware for Android. “These China-based companies are likely to be part of a wide network of suppliers, with varying degrees of operational security,” wrote Dvilyanski and Gleicher of Facebook.
Chinese government officials vehemently denied that he was involved in hacking campaigns, such as those reported by Facebook, Volexity, Google and other organizations.
Unless you have a connection with Uighur dissidents, it is unlikely that you have been the target of the operations identified by Facebook and other organizations. For people who want to check for signs that their devices have been hacked, Wednesday’s post provides indicators of compromise.