It was revealed that between November 2018 and May 2019, senior members of Tibetan groups received ill-intentioned links on WhatsApp by people posing as NGO workers, journalists and other fake personas. Among the victims that were targeted by the hackers include the Private Office of Tibetan Buddhist leader the Dalai Lama, the Central Tibetan Administration, the Tibetan Parliament, Tibetan human rights groups, and individuals holding senior positions in their respective organizations.
It was uncovered by a team of Canadian cybersecurity researchers who found out that this mobile hacking campaign is targeting high profile members of different Tibetan groups with one-click exploits for iOS and Android devices. The hacking group (Poison Carp) behind this malicious campaign sent malicious links to these victims which when opened, exploited web browser and privilege escalation vulnerabilities to install spyware on iOS and Android devices stealthily.
The researchers also found “technical overlaps” of Poison Carp with two recently discovered campaigns against the Uyghur community in China—the iPhone hacking campaign reported by experts at Google and the Evil Eye campaign published by Volexity last month.
From the similarities of these 3 campaigns, researchers believed that the Chinese government sponsors Poison Carp group.
Researchers observed a total of 17 intrusion attempts against Tibetan targets that were made over that period, 12 of which contained links to the iOS exploit.
Once installed, the malicious implant allows attackers to:
- gain full control of victims device,
- exfiltrate data including text messages, contacts, call logs, and location data,
- access the ‘device’s camera and microphone,
- exfiltrate private data from Viber, Telegram, Gmail, Twitter, and WhatsApp,
- downloads and install additional malicious plugins.
Besides this, researchers also saw a malicious OAuth application that the same group of attackers used to gain access to its ‘victims’ Gmail accounts by redirecting them to a decoy page designed to convince them that the app served a legitimate purpose. Though this is not the first case attempting to target Tibetan government, the researchers say the new Poison Carp campaign is “the first documented case of one-click mobile exploits used to target Tibetan groups.”
After the disclosure of iPhone hacking campaign, Apple released a statement last month confirming that the iOS campaign targeted the Uyghur community and saying that the company patched the vulnerabilities in question in February this year.
Since none of the iOS and Android vulnerabilities exploited in the campaign is zero-day, users are highly recommended always to keep their mobile devices up-to-date to become a victim of such attacks.