A new wave of a mobile surveillance campaign has been observed targeting the Uyghur community as part of a long-standing spyware operation active since at least 2015, cybersecurity researchers disclosed Thursday.
The intrusions, originally attributed to a threat actor named Scarlet Mimic back in January 2016, is said to have encompassed 20 different variants of the Android malware, which were disguised as book, pictures, and an audio version of the Quran.
The malware, while relatively unsophisticated from a technical standpoint, comes with extensive capabilities to steal sensitive data from an infected device, send SMS messages on the victim’s behalf, make phone calls, and track their locations.
Additionally, it allows the recording of incoming and outgoing phone calls as well as surrounding audio.
“All this makes it a powerful and dangerous surveillance tool,” Israeli cybersecurity firm Check Point said in a technical deepdive, calling the spyware MobileOrder.
It’s worth noting that a part of the campaign was recently disclosed by researchers from the MalwareHunterTeam and Cyble, in which a book written by the exiled Uyghur leader Dolkun Isa was used as a lure to deliver the malware.
Check Point said it observed MobileOrder artifacts in the wild right from 2015 to mid-August 2022, with the exception of 2021, when none were detected.
Attack campaigns likely involve the use of social engineering tactics to trick unsuspecting victims into launching malicious applications that reference seemingly innocuous documents, photos, and audio files.
These apps contain a variety of baits, including a PDF about guerrilla warfare and pictures related to the deployment of paramilitary forces in Ürümqi, the capital of the Xinjiang Uyghur Autonomous Region, in the aftermath of the deadly April 2014 attack.
Opening the rogue app, in turn, launches a decoy document designed to distract the target from noticing the malicious actions in the background.
“Some of the versions also ask for Device Admin and root access, which not only gives the malware full access to the device, but also prevents the victim from easily uninstalling the application,” the researchers said.
Other features supported by MobileOrder include executing a remote shell and even dropping additional Android Package (APK) files.
The campaign’s attribution to Scarlet Mimic, per Check Point, stems from clear code overlaps, shared infrastructure, and the same victimology patterns.
Furthermore, the ongoing use of MobileOrder signals a shift in attack vector from desktop to mobile surveillance, what with the actor previously linked to a Windows malware called Psylo Trojan.
While it’s not clear which of these attacks throughout the past seven years have been successful, the very fact that the malware authors are continuing to deploy the spyware is an indication that some of these efforts have paid off.
“The persistence of the campaign, the evolution of the malware and the persistent focus on targeting specific populations indicate that the group’s operations over the years are successful to some extent,” Check Point said.