Tibetan phishing attack now comes with Android Trojan
Contributed by: Email on 03/28/2013 02:36 PM [ Comments ]
The researchers at Kaspersky Lab have noted a new attack on Tibetan activists that is now targeting their smartphones. According to a report, a recent spear phishing attack, launched from the hacked email account of a "high-profile Tibetan activist" skipped the usual payload of malicious ZIP, DOC, XLS and PDF files and instead had an APK file (Android PacKage) attached.
This APK file, which presented itself as information and a statement about the "World Uyghur Congress Conference", if installed and run by the user displayed a brief text about the forthcoming Conference but in the background it contacted a command-and-control server and began harvesting geodata, contacts, call logs and SMS messages to send back to that server.
The command and control server has a Los Angeles based IP address, 64.78.161.133, which has one domain, dlmdocumentsexchange.com, associated with it. This domain is registered with a Chinese address and accessing the site serves up another APK file. This APK file displays Chinese text about the disputed "Senkaku Islands / Diaoyudao Islands / Diaoyutai Islands". The server also has Chinese language interfaces and runs on a Chinese language configured Windows Server 2003. All this leads the Kaspersky researchers to say that the attackers are at least Chinese speaking.
They add that this is the first targeted attack against smartphones that they have seen in the wild and the way it was distributed suggests a move away from other social engineering ploys by the regular attackers. The best way to avoid this problem, for any Android phone user, is never to install an application from mail or another untrustworthy source and not to disable Android's option to only install and run applications from Google Play or another trusted store.
This APK file, which presented itself as information and a statement about the "World Uyghur Congress Conference", if installed and run by the user displayed a brief text about the forthcoming Conference but in the background it contacted a command-and-control server and began harvesting geodata, contacts, call logs and SMS messages to send back to that server.
The command and control server has a Los Angeles based IP address, 64.78.161.133, which has one domain, dlmdocumentsexchange.com, associated with it. This domain is registered with a Chinese address and accessing the site serves up another APK file. This APK file displays Chinese text about the disputed "Senkaku Islands / Diaoyudao Islands / Diaoyutai Islands". The server also has Chinese language interfaces and runs on a Chinese language configured Windows Server 2003. All this leads the Kaspersky researchers to say that the attackers are at least Chinese speaking.
They add that this is the first targeted attack against smartphones that they have seen in the wild and the way it was distributed suggests a move away from other social engineering ploys by the regular attackers. The best way to avoid this problem, for any Android phone user, is never to install an application from mail or another untrustworthy source and not to disable Android's option to only install and run applications from Google Play or another trusted store.
Comments