Facebook said it had disrupted a hacking operation that used the social media platform to spread malware from iOS and Android that spied on Uighur people from the Xinjiang region of China.
Malware for both mobile operating systems had advanced capabilities that could steal just about anything stored on an infected device. The hackers, who researchers have linked to groups working on behalf of the Chinese government, planted malicious software on websites visited by activists, journalists and dissidents who originally came from Xinjiang and later moved abroad.
“This activity was characterized by a resourceful and sustained operation while obscuring who was behind it,”
Infecting iPhones for years
Google said that at the time some exploits were used, they were zero days, meaning they were very valuable because they were unknown to Apple and most other organizations around the world. These companies worked against iPhones running iOS versions 10.x, 11.x, and 12.0 and 12.1. Volexity later found exploits that worked against versions 12.3, 12.3.1 and 12.3.2. Together, the companies gave hackers the opportunity to infect devices for more than two years. Facebook’s posts show that even after being exposed by researchers, hackers have remained active.
Insomnia had the ability to filter out data from a variety of iOS apps, including Contacts, GPS and iMessage, as well as third-party offerings from Signal, WhatsApp, Telegram, Gmail and Hangouts. To keep the hacking hidden and prevent insomnia from being detected, the exploits were only delivered to people who passed certain checks, including IP addresses, OSesd, browser and country and language settings. Volexity provided the following chart to illustrate the exploitation chain that successfully infected iPhones.
A growing network
Evil Eye used fake apps to infect Android phones. Some sites mimicked third-party Android app stores that published Uighur-themed software. Once installed, the Trojan app infected devices with one of two malicious software strains, one known as ActionSpy and the other called PluginPhantom.
Facebook also named two China-based companies that they said had developed some of the Android malware. “These China-based companies are probably part of a growing network of suppliers, with varying degrees of operational security,” wrote Facebook’s Dvilyanski and Gleicher.
Officials with the Chinese government have steadfastly denied that they are conducting hacking campaigns such as those reported by Facebook, Volexity, Google and other organizations.
Unless you have a connection to Uighur dissidents, it is unlikely that you have been targeted by the operations identified by Facebook and the other organizations. For people who want to look for signs that their devices have been hacked, Wednesday’s post provides indicators of compromise.