Operation Flashpoint Android

[Slikk Huisenga]

Inthis report, BlackBerry researchers reveal what the focus on those groups has overshadowed: several governments with well-established cyber capabilities have long ago adapted to and exploited the mobile threat landscape for a decade or more. In this context, mobile malware is not a new or niche effort, but a longstanding part of a cross-platform strategy integrated with traditional desktop malware in diverse ways across the geopolitical sphere.

This approach has allowed state and state-sponsored Advanced Persistent Threat (APT) groups to exploit a mobile dimension for espionage campaigns with impunity. Low threat detection rates and a false sense of security have made mobile users an easy target. Given an immature market, security solutions intended to block mobile malware are few in number, forensic access to smartphones remains relatively limited, and existing public research into the mobile malware threat posed by governments has been scattershot at best and maladroit at worst.

This report provides a detailed survey of the strategic and tactical use of mobile malware by various governments. It attempts to fill in gaps in earlier research on the subject of mobile malware, and identifies and names new malware, new campaigns, and new threat actors - all of which yields a new and redefined understanding of nation-state APT operations. The conclusions drawn here are intelligence assessments representing judgments based on available data.

Mobile threats have been around nearly as long as the mobile phone, but they continue to increase in number and complexity as mobile devices become more embedded in, and critical to, our everyday lives. What started out as a somewhat limited attack surface more than a decade ago has grown into a vast landscape of devices utilizing the iOS and Android operating systems. These devices include mobile phones, tablets, televisions, medical devices, alarm systems, and point-of-sale credit card payment systems, among others.

Targeted mobile espionage campaigns complement traditional computer network, human, and signals intelligence efforts and play to the advantage of governments stuck in an asymmetrical power imbalance with other nations. They also offer something traditional espionage means do not: plausible deniability and a lighter attack footprint.

Because of these advantages, the market for exploits targeting mobile devices has skyrocketed. As of this publication, the going rate for a zero-click exploit for the Android operating system has hit $2.5 million dollars, while zero-click iPhone exploits have dropped to $1 million dollars (Greenberg, 2019). These nosebleed prices are reflective of the increasing difficulty of producing reliable exploits given the significant financial and technological investments in security by smartphone manufacturers over the past several years. Yet, difficult does not mean impossible.

Indeed, the sheer scale of mobile malware that is in-use by state or state-sponsored APT groups that BlackBerry researchers observed in producing this report and the ease with which this mobile malware has been interwoven with desktop malware campaigns, shows definitively that at least several nation states have overcome that barrier.

The earliest publicly available security research detailing the use of mobile malware by a nation-state APT focused on China. The most frequent focus of Chinese mobile malware are targets of interest perceived to be a potential threat to the power of the Chinese Communist Party (CCP).

The mobile malware campaign efforts BlackBerry researchers observed against Chinese targets of interest can be understood as a single covert stage in a larger active measures influence operation and strategy. The question becomes: who was and is currently behind these attacks? Might the Political Work Department have a cyber capability and field activity groups?

BlackBerry researchers found, after investigating these two reports, that the attack group behind the campaign was likely not a previously unknown Chinese APT group - one who might represent the hidden cyber wing of the Political Work Department. Instead we found these recent espionage attacks to be linked to a very familiar Chinese APT group known as WINNTI, particularly as described in its later iteration as BURNING UMBRELLA (Hegel, 2018).

WINNTI has been categorized within the security community as something of a conglomerate utility player working in support of the Chinese government with various, disparate targets in desktop malware campaigns, including global gaming companies, pharmaceutical giants, industrial manufacturing, chemical companies, and the United States defense industrial base.

The most recent effort complements a domestic campaign that also features a mobile dimension. For several years, the Chinese government has compelled those entering the Xinjiang region in China to install Android applications on their smartphones (AFP, 2017), some of which have been found to have atrociously bad security (Cox, 2018), raising suspicions that they are really meant as backdoors focused on certain targets of interest.

The Android malware did not automatically send harvested information from infected phones, but instead waited until a specially crafted text message was received. Another piece of Android malware (known as an APK file), also identified by Kaspersky, referenced the disputed Senkaku Islands/ Diaoyu Islands in the East China Sea, which continue to be a geopolitical flashpoint between China and Japan to this day.

After further investigating the Citizen Lab report, BlackBerry researchers connected the 2012 mobile attacks on activists to several well-known, traditional desktop APT espionage groups including REAVER (aka SUTR), SCARLET MIMIC, and LOTUSBLOSSOM, whose tools notably do not typically include mobile malware. Instead, REAVER and LOTUSBLOSSOM are better known for Windows-based espionage campaigns linked to recent attacks on the automotive industry, the defense industry, the European Union, and the United Nations.

BlackBerry researchers dubbed this newly identified campaign OPERATION DUALCRYPTOEX. The researchers also identified new malware families that target both Android and Windows, which BlackBerry researchers dubbed PWNDROID3 and PWNWIN1, respectively. The effort is the work of a newly identified Chinese APT group BlackBerry researchers dubbed BBCY-TA2.

BBCY-TA2 has taken note and taken advantage. The PWNDROID3 offered a wide range of capabilities including geolocation tracking, call monitoring, screen monitoring, and a host of other functions. Perhaps the most intriguing feature was a function that holds a list of specific locations or addresses and sends BBCY-TA2 geofencing alerts when they are visited. Here is a brief overview of the technical connections between BBCY-TA2 and the 2014 campaigns, as well as a quick tour of OPERATION DUALCRYPTOEX:

BlackBerry researchers observed this group most recently targeting telecommunications providers across the countries that ring the South China Sea for espionage purposes. In addition, BlackBerry researchers observed extensive campaigns throughout 2018 and 2019 in which BBCY-TA3 pursued nearly every major chemical manufacturing company in the world outside China, with particular interest in companies based in Germany, the U.S., and Canada.

The Iranian APT strategy for adoption of the mobile dimension is thus in line with that of the Chinese attack groups, whose earliest mobile campaigns were similarly motivated by an imperative to keep track of certain individuals both in and out of country who challenged the authority of the government.

In their report, Check Point detailed how a more advanced set of Android malware was quickly leveraged in a prolonged campaign of Iranian government espionage that was focused on Kurdish and Turkish natives, as well as ISIS supporters. At first glance this would suggest an outward-facing mobile espionage effort driven by counterterrorist and foreign policy concerns. None of that would be particularly surprising given that all these groups are in play in the Syrian conflict where Iran supports the Assad regime.

In a relatively short amount of time, Iran can be seen to have followed an implementation strategy first employed by other non-democratic countries like China in honing a capability initially on domestic targets of interest before turning it outward for other espionage purposes. Iran has previously been observed following this course in the development and implementation of its traditional desktop cyber operations strategy (Anderson & Sadjadpour, 2018).

Deutsche Welle also provided evidence that the supposed non-profit was used in information and influence operations beneficial to the Turkish government. BlackBerry researchers assess that MUDDYWATER was aware of this connection, and that the SETA domain was chosen precisely because of its relationship with the Turkish government, given the likelihood that it would be implicitly trusted by government officials targeted by the SMS text messages.

Iran is continuing to conduct mobile surveillance on its own citizens, minority ethnic groups, and neighboring countries involved in strategic regional conflicts. BlackBerry researchers suspect the increased interest in countries like Turkey is due to recently forged military ties with Russia. In fewer than three years, Iran has drastically improved the quality and complexity of its Android malware, the sophistication of its socially engineered delivery mechanisms, the ability to pivot between domestic and foreign target sets, and the implantation of a cross-platform strategy that integrates mobile and desktop malware.

As a result of the Korean language barrier and the inherent interest of the South Korean government to exaggerate the North Korean threat, much of the cutting-edge intelligence on the mobile threat remains foggy. And even when BlackBerry researchers examined the Korean language research and lifted one layer of that fog, another took its place, as detailed in the next example.

3a8082e126