Facebook said it disrupted a hacking operation that used the social media platform to distribute iOS and Android malware that was spying on Uyghur people from the Xinjiang region of China.
Malware for both mobile operating systems had advanced capabilities that could steal just about anything stored on an infected device. The hackers, who linked researchers to groups working on behalf of the Chinese government, placed the malware on websites frequented by activists, journalists and dissidents who originally came from Xinjiang and later moved abroad.
“This activity had the hallmarks of a well-equipped and sustained operation, but obscured who is behind it,” Mike Dvilyanski, Facebook’s head of cyberespionage investigations, and Nathaniel Gleicher, the company’s chief of security policy, wrote in a message on Wednesday. “On our platform, this cyber-espionage campaign mainly manifested itself in sending links to malicious websites rather than directly sharing the malware itself.”
Contaminating iPhones for years
The hackers seeded websites with malicious JavaScript that could covertly infect targets’ iPhones with a full-blown malware profiled by Google and security firm Volexity in August 2019 and last April. The hackers exploited a host of vulnerabilities in iOS to install the malware, which Volexity dubbed Insomnia. Researchers refer to the hacking group as Earth Empusa, Evil Eye or PoisonCarp.
Google said that at the time some of the exploits were used, they were zero-days, meaning they were very valuable because they were unknown to Apple and most other organizations around the world. Those exploits worked against iPhones running iOS versions 10.x, 11.x, and 12.0 and 12.1. Volexity later found exploits that worked against versions 12.3, 12.3.1 and 12.3.2. All told, the exploits gave the hackers the ability to infect devices for more than two years. The Facebook message shows that the hackers remained active even after they were unmasked by researchers.
Insomnia had the ability to exfiltrate data from a variety of iOS apps, including Contacts, GPS, and iMessage, as well as third-party offerings from Signal, WhatsApp, Telegram, Gmail, and Hangouts. To hide the hacking and prevent the Insomnia from being discovered, the exploits were only delivered to people who had passed certain checks, including IP addresses, OSesd, browser, and locale and language settings. Volexity provided the following diagram to illustrate the exploit chain that has successfully infected iPhones.
Volexity
An extensive network
Evil Eye used fake apps to infect Android phones. Some sites mimicked third-party Android app stores that published Uyghur-themed software. Once installed, the trojan apps infected devices with one of two malware types, one known as ActionSpy and the other called PluginPhantom.
Facebook also named two China-based companies that had developed some of the Android malware. “These China-based companies are likely part of a vast network of suppliers, with varying degrees of operational security,” wrote Facebook’s Dvilyanski and Gleicher.
Chinese government officials have steadfastly denied engaging in hacking campaigns such as those reported by Facebook, Volexity, Google and other organizations.
Unless you have some connection with Uyghur dissidents, it is unlikely that you have been the target of the operations identified by Facebook and the other organizations. For people looking to check for signs that their devices have been hacked, Wednesday’s post offers clues to a compromise.