And the hacks were launched in a similar way as those on iPhones: websites serving news and information for the Uighur community would try to snoop on any visiting device. That’s according to researchers at cybersecurity company Volexity, who reported on Monday that they had found 11 different Uighur and East Turkestan websites that were “strategically compromised” to deliver attacks, with four used to target Google’s operating system. They included sites for the Uighur Academy, Turkistan Press, Turkistan TV and Istiqlal Haber.
But it would appear that the targets were not those inside China. Uighur activists living in exile have complained of being harassed by Chinese officials, while human rights watchdogs have condemned Beijing for imprisoning hundred of thousands of people and establishing a surveillance state in China’s far west Xinjiang province, the homeland of the majority muslim Uighur people. As the researchers explained, the compromised websites are inaccessible within China because of the so-called Great Firewall that sites censored by the communist authorities. That meant that it’s likely only those based outside of the country were hit by the Android malware.
iOS and Android exploits from China
Forbes has not yet confirmed whether those hacked websites were the same as those that targeted iOS, as reported by Google’s Project Zero team last week. Google hasn’t responded to a request for comment at the time of publication. One source with knowledge of the attacks said that whilst it wasn’t clear if the same sites were used by the iPhone hackers, it was part of the same operation. Volexity has dubbed the group that targeted Android as Evil Eye.
Volexity had its own theories, though. “While Volexity can only confirm malware targeted Android users through Uighur websites, it is reasonable to suspect that these same attack campaigns could have easily been leveraged to target Apple and Microsoft users,” the researchers wrote.
The researchers also pointed to some indications that the Android hackers ceased their attacks via the Uighur sites shortly after Google’s Project Zero blog detailed the iOS attacks. This could indicate they were the part of the same digital espionage group. For instance, three sites set up by the Android hackers were no longer accessible after Google’s release. Just as suspicious, the malicious code running on the compromised websites was removed in the same timeframe. And they found malicious code on the Uighur Academy site that contained the string “appstore” which could be a reference to Apple’s App Store.
The hackers also created Google apps that grabbed victim emails and contact lists from Gmail accounts. As the researchers wrote: “One such way is to develop an application and fool a targeted user into authorizing it to have access to their e-mail account. This will typically bypass two-factor authentication (2FA) and provide the attacker resilience against user password changes.”
Yonathan Klijnsma, head of threat research at RiskIQ, noted this was all part of “unsettling” surveillance on Uighur people.