Mobile Malware Disguised in Islamic Artifacts Targets Uyghurs for 7 Years
September 2022 by Check Point Research (CPR)
Check Point Research (CPR) spots an ongoing, mobile malware campaign consistently targeting Uyghurs for seven years. Attributed to the actor Scarlet Mimic, the malware campaign most likely leverages spear-phishing techniques disguised in Islamic artifacts, such as books, pictures and audio files. The malware is capable of stealing data, tracking location, recording audio and sending SMS messages.
• Malware deletes logs of calls and texts afterwards
• Malware opens a decoy document to distract the victim from malicious actions
• CPR diagrams evolution of malware throughout the years
Check Point Research (CPR) sees an ongoing, mobile malware campaign that has consistently targeted Uyghurs for at least the past seven years. Attributed to the actor Scarlet Mimic, the malware campaign was disguised in multiple baits such as books, pictures, and even an audio version of the Quran.
It isn’t clear who is behind Scarlet Mimic. CPR has no evidence to point to a specific country but other researchers have indicated it could be linked to the China, which has previously been accused of hacking and surveillance toward the Uyghurs.
• Steal data from the mobile device - files, browser history, device in formation
• Track real-time geolocation
• Record audio of calls and surroundings
• Perform calls and send SMS messages on victim’s behalf, deleting logs afterwards
CPR believes the malware is distributed via a form of spear phishing that includes trojanized files. The malware is disguised in lures such as books, pictures, and audio files connected to Uyghurs or to Islam. When the victim opens the lure, it actually launches the malicious application, opening a decoy document to distract the victim from malicious actions.
Throughout the years, some changes were introduced by the developers. A few of these changes were clearly developed to reduce the chances of the malware being detected by security solutions: the malware authors experimented with the ways to hide the malicious strings. The actors also added a few adjustments and features to gather more information from their victims’ devices.
Sergey Shykevich, Threat Intelligence Group Manager at Check Point Software: “We discovered a mobile malware campaign consistently targeting Uyghurs for at least 7 years. The campaign has been very consistent during the years, with the last sample dated to middle of August 2022. The scale and the persistence of the campaign is remarkable.
Furthermore, the malware has a lot of active capabilities like calls and surround recording, real time geolocation and even the capability to conduct calls and send SMS messages by using the victim’s phone. All of this allows the threat actor behind the campaign to build a great intelligence picture around its targets.
We suspect the actor Scarlet Mimic is behind this espionage campaign but don’t know much about who is behind this group. We will continue to monitor the situation.”