iPhone and Android- A team of Canadian cybersecurity researchers has uncovered a sophisticated and targeted mobile hacking campaign that is targeting high-profile members of various Tibetan groups with one-click exploits for iOS and Android devices.
Dubbed Poison Carp by University of Toronto’s Citizen Lab, the hacking group behind this campaign sent tailored malicious web links to its targets over WhatsApp, which, when opened, exploited web browser and privilege escalation vulnerabilities to install spyware on iOS and Android devices stealthily.
“Between November 2018 and May 2019, senior members of Tibetan groups received malicious links in individually tailored WhatsApp text exchanges with operators posing as NGO workers, journalists, and other fake personas,” the researchers say.
What’s more? The researchers said they found “technical overlaps” of Poison Carp with two recently discovered campaigns against the Uyghur community in China—the iPhone hacking campaign reported by experts at Google and the Evil Eye campaign published by Volexity last month.
Based on the similarities of the three campaigns, researchers believed that the Chinese government sponsors Poison Carp group.
Poison Carp campaign exploits a total of 8 distinct Android browser exploits to install a previously undocumented fully-featured Android spyware, called MOONSHINE and one iOS exploit chain to stealthily install iOS spyware on ‘users’ device—none of which were zero days.
“Four of the MOONSHINE exploits are clearly copied from working exploit code posted by security researchers on bug trackers or GitHub pages,” the report says.
Researchers observed a total of 17 intrusion attempts against Tibetan targets that were made over that period, 12 of which contained links to the iOS exploit.
Once installed, the malicious implant allows attackers to:
- gain full control of victims device,
- exfiltrate data including text messages, contacts, call logs, and location data,
- access the ‘device’s camera and microphone,
- exfiltrate private data from Viber, Telegram, Gmail, Twitter, and WhatsApp,
- downloads and install additional malicious plugins.
Besides this, researchers also observed a malicious OAuth application that the same group of attackers used to gain access to its ‘victims’ Gmail accounts by redirecting them to a decoy page designed to convince them that the app served a legitimate purpose.